Date: Fri, 29 May 1998 15:08:47 +0200 (CEST) From: Andrzej Bialecki <abial@nask.pl> To: Josh <josh@frantastic.com> Cc: isp@FreeBSD.ORG Subject: Re: Firewall software Message-ID: <Pine.NEB.3.95.980529150205.25046A-100000@korin.warman.org.pl> In-Reply-To: <Pine.BSF.3.96.980526143749.5299B-100000@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 May 1998, Josh wrote:
> On Tue, 26 May 1998, Kim Shrier wrote:
> > Firewall-1 only runs on NT
> > and uses "statefull inspection" as its method of providing protection.
> > This is considered to be less secure than proxies. Since maintaining
> > anything on NT is a pain, I usually avoid NT if at all possible.
>
> Actually, firewall-1 will run on NT, HP-UX, AIX, Solaris and SunOS. The
> firewall client that is used to maintain firewall-1 can be run from
> windows95/nt or an a motif application under xwindows, regardless of which
> type of platform the engine runs on. It is true that stateful inspection
> does not offer the same protection that a proxing system might for a
> particular protocol, but it does provide protection independent of
> application level protocol (ie it's modular). It's also very common to
> combine firewall-1 with some type of a proxy server to provide greater
> protection.
It is also true that their approach has at least one benefit: it's fast.
All the crucial code sits inside the kernel (the rules are compiled by
the user-space program and then downoladed to the kernel module).
It also has some drawbacks: GUI front-end requires you to constantly click
to and fro in order to do some simple things. It finally produces ASCII
config file, but if you try to edit it yourself, be prepared for
something which looks like LISP or ASN.1 - it's not easy to prepare it
manually, so you are bound to use the GUI...
I also observed something which looks like erroneous packets when using
translation... but it might be the pilot's error.
Andrzej Bialecki
--------------------+---------------------------------------------------------
abial@nask.pl | if(halt_per_mth > 0) { fetch("http://www.freebsd.org") }
Research & Academic | "Be open-minded, but don't let your brains to fall out."
Network in Poland | All of the above (and more) is just my personal opinion.
--------------------+---------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.980529150205.25046A-100000>