Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Various *nix based firewalls, pro and cons of each?

  1. #1

    Various *nix based firewalls, pro and cons of each?

    I'm semi-familiar with ipchains/tables, but I'm afraid that just isn't going to cut it any longer. Could you guys give me a run down of different nixbased software firewalls, as well as pros and cons of each based upon your own experience? Some links to tutorial research would be great too. Thanks guys!

  2. #2
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I can't give experience for this one but it is awesome from what I hear. I've read both trusted and untrusted sources saying that it's great:

    Sunscreen. This is from Sun and is for UNIX and in particular Solaris:

    Sun Screen is something I'd like to have one day. The configuration looks a lot like a web based Router configuration.

    NetWall is another you migth want to look at. It's expensive but that's really the only downside.


    Netfilter might be something you look into as well. But then again that is just IPTables in one way anyway, so you may not.

    If all else fails, there are a few I've found just by searching for them, but mostly they are IPTables front ends.



    http://www.linux-firewall-tools.com/linux/

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    ipcop is an excellent firewall "suite". I say suite because it includes everything you need. squid, vpn, packet queueing, firewall obviously... and then some. ipcop.org

    Shorewall..haven't used it.

    astaro security linux is a "commercial" tool but it's free for home use. I'd check them out..it's strikingly similar to ipcop...hmmm opensource is great isn't it?

    openbsd 'pf'..I have loads of hours spent with this, and I enjoy it. It does what I need it to do, and has a few nice additions..works on Freebsd and netbsd iirc.

    iptables/netfilter...well you already know those. I'd use fwbuilder to build a basic ruleset.

    I still question the entire "hardware" vs. "software" firewalls..because what is a *nix box dedicated to firewalling? any hardware firewall still runs an os at the core, no matter how embedded or stripped...so meh.

    ttfn..work is calling
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    There was some thread around here about not really being anything that should be considered a hardware firewall... it's nothing more than a dedicated system for firewalling. I love seeing that "Alpha Shield" gimmick in London Drugs... "100% unhackable security" pfft! :P
    /\\

  5. #5
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    I personally use a dedicated Linux box running a huge iptables script, it has worked very adequately for what we need. My buddy recently used Sunscreen for a university departments firewall and he got hooked on it. I am always looking for the "next thing" for our firewall solution so perhaps IPcop might be beneficial, or I coulf always dust off my Solaris discs again.....
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  6. #6
    Senior Member
    Join Date
    Jul 2004
    Posts
    131

    Re: Various *nix based firewalls, pro and cons of each?

    Originally posted here by poohsuntzu
    I'm semi-familiar with ipchains/tables, but I'm afraid that just isn't going to cut it any longer. Could you guys give me a run down of different nixbased software firewalls, as well as pros and cons of each based upon your own experience? Some links to tutorial research would be great too. Thanks guys!
    i will assume that this is for personal use, right? don't deploy this stuff into a production environment unless you are very familiar with it or have someone who is always available who is familiar with it.

    we use FreeBSD solution.

    pro's - it's very stable and reliable and configurable
    cons - tricky and time consuming to setup.

    regards
    SL
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Is there a reason why you don't feel Netfilter can do the job?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Well it can, completely. Was just trying to open up to other solutions and learn them than just iptables Chances are.. I'll stick to iptables though.

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by chsh
    Is there a reason why you don't feel Netfilter can do the job?
    While I like Netfilter for home or small workgroups, I am starting to require all firewalls at the edge of my networks to have awareness of both Anti-Virus and Windows patch levels before granting
    permission to VPN clients.

    I have not seen Netfilter or NF based products on the radar with this capability.

    Added firewall bonuses are the ability to easily terminate connections other than Ethernet.
    NF based products fall short here.

    Also, while the NF modules and add-ons along with additional software are starting to become
    better at layer 3 and application awareness, I feel the start to finish configuration is still a bit
    long.

    GORE: I too wish to play with Sunscreen. It looks too cool.

    The NOKIA products I run with Checkpoint are BSD(ish) but heavily modified.

    *NIX + Checkpoint is still not a bad way to go tho its feeling old school with all of the turnkey stuff coming out.

    I used to refuse to install any hard-drive based firewall seeing it as a likely point of failure but
    HDD technology has sure come a long way. Keep em cool and dust free and they will SPIN for a long time these days.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by poohsuntzu
    Well it can, completely. Was just trying to open up to other solutions and learn them than just iptables Chances are.. I'll stick to iptables though.
    Never hurts to broaden your horizons. I only asked because of your wording.

    Originally posted here by ss2chef
    While I like Netfilter for home or small workgroups, I am starting to require all firewalls at the edge of my networks to have awareness of both Anti-Virus and Windows patch levels before granting
    permission to VPN clients.
    Not being up on VPNs, wouldn't this be a function of your VPN server, not of the firewall?

    Also, while the NF modules and add-ons along with additional software are starting to become
    better at layer 3 and application awareness, I feel the start to finish configuration is still a bit
    long.
    Compared to what?

    I used to refuse to install any hard-drive based firewall seeing it as a likely point of failure but HDD technology has sure come a long way. Keep em cool and dust free and they will SPIN for a long time these days.
    I think almost all *nix firewalls are capable of being run off read-only media like CD.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •