From owner-freebsd-isp Thu Apr 24 09:15:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA14058 for isp-outgoing; Thu, 24 Apr 1997 09:15:06 -0700 (PDT) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA14024; Thu, 24 Apr 1997 09:14:55 -0700 (PDT) Received: (from karpen@localhost) by ocean.campus.luth.se (8.7.5/8.7.3) id SAA16227; Thu, 24 Apr 1997 18:22:53 +0200 (MET DST) From: Mikael Karpberg Message-Id: <199704241622.SAA16227@ocean.campus.luth.se> Subject: Re: Commercial vs built in firewall capabilities of FreeBSD To: mike@sentex.net (Mike Tancsa) Date: Thu, 24 Apr 1997 18:22:52 +0200 (MET DST) Cc: freebsd-isp@freebsd.org, security@freebsd.org In-Reply-To: <3.0.1.32.19970424111952.00a1f1e0@sentex.net> from Mike Tancsa at "Apr 24, 97 11:19:52 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Mike Tancsa: > > After looking around a lot of the firewall sites and browsing through the > firewall list archives, I am still not entirely clear what a commercial > firewall costing $10K U.S. would give me over the basic firewalling > capabilities in FreeBSD combined with sshd, NAT, proxy servers and or SOCKS > v5... Although VPN would be a very nice feature to have to link up remote > offices, if this is not necessary, should we reccomend to the client to go > out and spend $10K on a commercial firewall solution as opposed to a > FreeBSD box ? How's "Firewall1"'s ability to analyze the traffic and such, for example? Like, it can let outgoing UPD go out, and answers to it come back, but nothing else. And it will look into FTP packets and snoop your connections for port setups, and let that port connect, when it comes. Thereby, ftp, archie, or anything else which has problems with firewalls willwork as expected. And... you can make it filter out the ActiveX components of web pages, etc. Plus: You get a real easy to set up, GUI configuration thing, which will by pure eay-to-use factor make your firewall safer, since you wont forget anything so easilly. Sure, you can do that with FreeBSD. Just use divert sockets, and write a program to handle it. Problem is, you'll spend quite a lot of money in developing the same functions. You DO get something for you money, you really do. I'm all for FreeBSD as a firewall, and anything else, basically. However, it's all about what your budget is. If they have the money, I think it's problably worth it. /Mikael