Firewall Wizards mailing list archives
RE: Differences between firewall-packages like FW-1 and packetfilter
From: ark () eltex ru
Date: Fri, 19 May 2000 12:29:45 +0400
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, Too bad expensive does not mean good too. There are many good free things and quite a few commercial ones that are worth money they cost. "Omar Fahnbulleh" <Otariq () bellatlantic net> said :
IN this business being CHEAP is not good. FREE is not good. Spend the money. -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of ark () eltex ru Sent: Monday, May 15, 2000 2:58 PM To: andreas () pretzsch de Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Differences between firewall-packages like FW-1 and packetfilter -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Andreas Pretzsch <andreas () pretzsch de> said :I looked at some firewall-packages like FW-1 and I just don't see THE big difference to a packet filter like in Linux 2.2/2.3 combined with some GUI and some logfile-parser. Taking a closer look at the packet filter in later Linux 2.3.x (or to be more precise, the interface to it, iptables), I have the feeling this packet filter includes everything you could do with ip-packets and the typical protocols based on it. Same applies to the protocol-level-filters avivable. For me this raises two questions: What advantages could I get from buying a tool like FW-1 instead of using a glued-together solution based on iptables, a gui and a few reporting-scripts ?Saving your time. FW-1 is not a good choice if you need a flexible solurtion, though, Proxy-based firewalls can provide you better control and monitoring, though.Is there anything FW-1 (or other packages like Gauntlet) could do for me the upper solution can't ?Yes. You did not mention VPN, authentication,content inspection and application-level control. And saving your time, again.Let me make one restriction: I'm only talking about small and simple firewalls, not the huge thing altavista might need ... My typical scenario: A small network with a few Win-boxes in it, perhaps a few unices too. They should be connected to the internet, mostly with masquerading, over a linux-box, which is often running a mailserver (qmail) too. In some cases there a few more things on the linux-box, like an apache or a squid. None of these networks needs really high-level-protection, as they are of a small local bicycle-seller or so. A less typical scenario: There is a DMZ with static IPs, routing a few systems (mostly NT-boxes with proprietary software on it) to the net. All other things like scenario 1. Of course I'm using two physically different networks when possible, but what could do a commercial firewall-package to me what I can't do by hand ? I mean, beside the task of glueing things together ?Maybe you don't really _need_ commercial firewall package, but it depends on how much does your time cost and what level of comfort and manageability do you expect from the working system.BTW, I looked at some scripts for building packet filters and at some predefined rule sets, but every script I looked at kills the one or other packet defeating this-and-this attack, but none is complete, or even near to complete.Concatenate, then ;)Isn't there something doing the right thing (tm) for a typical scenario ? Why use a commercial packet if I have to do it by hand even with such a product ?Some commercial products let you do what you need more efficient way. Another ones do what developers think you need for you. It depends on your choice and how much do you know about the things inside.
_ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOST7d6H/mIJW9LeBAQHZCgP/eVaqPngFBzbyylWfzaiXbhPg6MeNBg7B EvtnUYSGQ39lkbX4JUhtpThQarsI6d567kvvegBVWzJUYBEoBwT8Z018vy9UCbgU IkQvOx9ogBjk8vtLutJmC3yb9EQ6RmSviDPF23KvxIUhzDeWMRCQqnbfRmJDSkM/ 8FGMeGOzTi8= =iz6g -----END PGP SIGNATURE-----
Current thread:
- Differences between firewall-packages like FW-1 and packetfilter Andreas Pretzsch (May 12)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- <Possible follow-ups>
- Re: Differences between firewall-packages like FW-1 and packetfilter ark (May 17)
- RE: Differences between firewall-packages like FW-1 and packetfilter ark (May 19)