From owner-freebsd-questions Mon Oct 29 21:26:43 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id E4AC937B405 for ; Mon, 29 Oct 2001 21:26:39 -0800 (PST) Received: (from dan@localhost) by dan.emsphone.com (8.11.6/8.11.6) id f9U5QT659178; Mon, 29 Oct 2001 23:26:29 -0600 (CST) (envelope-from dan) Date: Mon, 29 Oct 2001 23:26:29 -0600 From: Dan Nelson To: Kelsey Cummings Cc: Henrik Hudson , Julian Morgan , freebsd-questions@FreeBSD.ORG Subject: Re: watchguard firewalls Message-ID: <20011029232629.A31658@dan.emsphone.com> References: <200110310150.f9V1o4l31631@ashram.rhavenn.net> <20011029174933.X42541@sonic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011029174933.X42541@sonic.net> User-Agent: Mutt/1.3.23i X-OS: FreeBSD 5.0-CURRENT X-message-flag: Outlook Error Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In the last episode (Oct 29), Kelsey Cummings said: > On Mon, Oct 29, 2001 at 07:55:06PM -0600, Henrik Hudson wrote: > > On Monday 29 October 2001 19:21, Julian Morgan wrote: > > > Sorry - the question is not totally related to BSD - but they are > > > trying to replace my 7 network BSD structure with these things - > > > and have given me neally no detail and I want to make sure it is > > > a suitable product for VPN firewall capabilities There's no need to replace anything, unless your 7 machines were all firewalls (in which case replacing them with a single machine might be a good idea). The firebox is not a web, ftp, or email server. It filters and proxies services, but you still have to have a machine behind it serving up content. > > They run a Linux kernel in them and are stable if kept updated, > > etc....my only real nitpick with them is that they can only log to > > a NT machine running their logging agent which was a bit > > annoying..i mean your running a Linux kernel, I am sure they could > > figure out some sort of syslog funcitionality, but I digress. Recent versions of the firebox software can do syslog logging (this feature is about 6 months old, I think) > Just be warned that the Watchgaurd filewalls that I've seen can't do > anything BUT proxy outbound connections which means that the source > IP address of machines from inside get hidden. Which, is both good > and really bad. This has never been true; we are using ours in "drop-in" mode. It only NATs what you tell it to, and passes the rest through unchanged. The only big drawback to the Firebox (and it's a big one) is you must reboot to enable changes to your configuration, which basically means no changes during business hours. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message