Firewall Wizards mailing list archives
Re: Open Source Personal Firewall?
From: Charles Swiger <cswiger () mac com>
Date: Sun, 14 Dec 2003 14:00:05 -0500
On Dec 13, 2003, at 8:36 PM, Breno Jacinto wrote:
* Charles Swiger (cswiger () mac com) wrote:Are you looking for an appliance, or are you looking to install OSS software onto an existing machine (presumably commodity Intel hardware)? If the latter, you could start with OpenBSD or a hardened flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the author of IPFW).Just to avoid confusion: I refer to personal firewalls to softwareslike Zonealarm. It's limited (simple packet filtering) compared to real ones (openbsd, linux etc), but supposedly more usable.
Per-client "personal firewalls" can encounter a class of usability problems which are not present in external firewalls, when the things break software running locally, for example, but that type of problem isn't extremely common.
I was looking for an OSS equivalent of Zonealarm, BlackICE and the like. I know many 'real' firewalls - in-kernel, customized OSes -which are OSS, like the ones you mentioned. But they're not 'usable' withoutan expert (or maybe NO firewall can be of good use without an expertsetting it up). The trade-off between usability and security is cruel.
[ ... ]
Thats why PF can come handy. Like a 'minimum' security for the everyday user. Well, considering the user knows what he is doing...
A number of operating system vendors are shipping "personal firewall" capabilities integrated with their latest OS release: Microsoft has their Internet Connection Sharing, there's the Control Panel applet managing IPFW in Apple's MacOS X 10.3 (Panther), and there's no need to go over the capabilities of Linux and the BSD's from which such firewall technologies originated.
I would argue that the latter is reasonably intuitive, at least, and it's options correspond to the list of services one can enable elsewhere, so that if one enables secure login, the firewall config has a checkbox marked "Remote Login - SSH (22)", under the covers IPFW gets invoked with:
[ ...loopback anti-spoofing rules trimmed... ] allow tcp from any to any out allow tcp from any to any established allow tcp from any to any 22 in deny tcp from any to anyThis isn't much different than other systems which construct a firewall ruleset-- there are some websites which will generate such rules based on an HTML form one fills out, but it does the job.
1: And it's been the latter which has tended to result in bugs with most firewalls, another example of the classic tradeoff between ease-of-use and security...Yes, and the question remains: If we need an expert to set up a'Personal Firewall', cause otherwise the user will not be alble to seta decent policy, is there any reason why not use a cheap machine in front of the PCs running OpenBSD/Linux doing NAT (..) rather than a Software (Zonealarm) running in the host itself?
There are certainly advantages to using a seperate firewall device instead of a per-client local firewall. First and foremost is that a firewall device won't be running client user applications or initiating and responding to network connections, and taking action on such data such as running software downloaded from the network, knowingly or otherwise (malware).
I was going to say something about trying to come up with a sensible network security policy that doesn't need an expert to understand, but I'm being distracted by a rather impressive snowfall happening outside my windows at the moment... :-)
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Open Source Personal Firewall? Breno Jacinto (Dec 11)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 12)
- Re: Open Source Personal Firewall? Breno Jacinto (Dec 13)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 14)
- Re: Open Source Personal Firewall? Breno Jacinto (Dec 13)
- <Possible follow-ups>
- RE: Open Source Personal Firewall? Petreski, Samuel (Dec 12)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 12)