Firewall Wizards mailing list archives
Re: Differences between firewall-packages like FW-1 and packetfilter
From: "Dameon D. Welch-Abernathy" <dwelch () phoneboy com>
Date: Mon, 15 May 2000 23:04:06 -0700
On Sat, May 13, 2000 at 02:08:07PM -0400, Chris Brenton wrote:
Let's just talk two products, FW-1 & iptables/NetFilter since they are both based on the same type of technology: Both do stateful filtering. FW-1 maintains state on TCP & UDP only. I would have to review iptables to see if it includes anything else but I know it at least covers these two as well.
Depending on what mood FireWall-1 is in, you can also have it do stateful inspection of ICMP (as of 4.0).
Problems posted to the iptables/netfilter mailing list are responded to *very* quickly by the people who code the software. When's the last time you've seen technical help posted from a CP mailing address to this or any other list (including CP's own FW-1 list)?
But what about PhoneBoy? (Though I suppose I don't answer *every* technical query that comes across the list -- if I did, I wouldn't have a life!)
FW-1 has a nice draw and configure GUI, iptables is all command line. Personally, I prefer a command line but for a newbie trying to get up to speed the ability to draw a picture of your network and have your policy auto-generated would be considered a big plus. Of course this opens the question "Should a newbie be configuring a firewall?" which is a completely different debate. ;)
I've had a few people in my Check Point classes that didn't understand TCP/IP very well. It made for a very difficult class.
[ The problem with INSPECT is ] A) The language is undocumented (maybe 5 people in the world fully understand it)
I'm trying to broaden my own understanding of it, but I assume the 5 people in the world you are referring to work at Check Point. :-)
B) SI changes with each FW-1 revision (combine with "A" and this is bad)
The basic language itself hasn't changed, though some of the built-in functions have changed.
C) CP support will not talk to you if you've modified SI yourself
I think that's because of "A".
The big difference for me is the logging ability. FW-1 only logs the first packet, does not report header info beyond IP & port numbers, and in some cases lies about what it lets through and what it does not.
If you really wanted to, you could modify FireWall-1 to do this as well. But again, it involves modifying INSPECT code... :-) -- PhoneBoy
Current thread:
- Differences between firewall-packages like FW-1 and packetfilter Andreas Pretzsch (May 12)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- <Possible follow-ups>
- Re: Differences between firewall-packages like FW-1 and packetfilter ark (May 17)
- RE: Differences between firewall-packages like FW-1 and packetfilter ark (May 19)