Re: Proxy Firewalls (was FWTK vs T.REX)

[ark () eltex ru]

nuqneH,

On Fri, Jan 31, 2003 at 03:30:08PM +0100, Illes Marton wrote:

> > Statistics, monitoring, QoS control, granular protocol inspection,
> > content filtering and more..
> I beleive QoS is fine if you use the kernel's builtin QoS.
> Contentfiltering and protocol inspection is the task of the appl. proxy.

Who says QoS kernel should be on the firewall box? I mean DSCP marking so
routers may take care of that thing.

> I think a good final solution would  use an appropiate packet
> filter, and good appl. proxy.
>
> The best of the bread way looks good in some manner, but you shold
> consider, that different applications have different quality. With the
> single kit you can acceppt same quality. I prefer using, if possible one
> kit at the same time. BTW: I use Zorp. :)
>
> If you are looking for open/free _working_ firewall kit, than you can have
> FWTK, T.REX, Zorp. (Don't count socks based ones.)
>
> The Zorp GPL tries to provide a working, modern solution for your needs,
> which used to be FWTK.
>
> We can agree that FWTK is a bit obsolate, and there isn't any group
> maintaining it. 

Who says? We do. API is completely different but there are compatibility hooks
that allow any fwtk-compatible proxy to build and run, though it will not 
use Generation 2 API advantages like seeing what happens just when you
type "ps", QoS support i noted and other fancy things.

> T.REX is a collection of proxyes, offten with poor quality
> implementations.

I agree.

> > > FWTK                              I use now
> > > ftp-gw                            FTP w/pasv origin only, squid for readonly
> >
> > still looking for suitable replacement, will probably rewrite
> Zorp has a builtin FTP proxy. Supporting passv, active connections.
>
> > > http-gw                   squid, chrooted on a separate box
> >
> > what about html filtering? squid-gw is the way.
> HTTP proxy, able to do content filtering, and many more tricks.
>
> > > plug-gw                   ssltunnel, plug-gw
> >
> > sslified plug-gw
> We have plug proxy, and ssl proxy (capable to stack other proxy in) So you
> can run HTTPS, with HTTP level content filtering :) Nice feature.

Yep, we don't do MITM ssl yet. But we plan someday. There are certificate
management issues..

> Plug proxy is able to handle not just tcp, but udp as well. It's able to
> handle udp one side, tcp other side traffic.

Trivial to implement, but i've never seen protocols that can work this way ;)

> > > dns                               bind, chrooted (finally)
> Seams reasonable. Personly I don't like djbdns.

Why? djbdns as name server may be PITA but dnscache is just fine.

> > pop3, nntp, cvs, rsh, lpd, tds etc proxies?
> Zorp has in addition: finger, whois (the two most important one :)),

We have those too.

> telnet.
>
> The commercial version has
> more(pop3,imap,nntp,lpd,radius,tftp,sqlnet,etc.)
>
>
> You can download zorp source or binary (debian/woody i386) from
> www.balabit.hu, or you can find it in debian/sid

I know. Actually i find Zorp to be excellent thing, i just chose a bit
different way we like more ;-).

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards