-
December 6th, 2004, 11:18 PM
#1
Various *nix based firewalls, pro and cons of each?
I'm semi-familiar with ipchains/tables, but I'm afraid that just isn't going to cut it any longer. Could you guys give me a run down of different nixbased software firewalls, as well as pros and cons of each based upon your own experience? Some links to tutorial research would be great too. Thanks guys!
-
December 7th, 2004, 02:23 AM
#2
I can't give experience for this one but it is awesome from what I hear. I've read both trusted and untrusted sources saying that it's great:
Sunscreen. This is from Sun and is for UNIX and in particular Solaris:
Sun Screen is something I'd like to have one day. The configuration looks a lot like a web based Router configuration.
NetWall is another you migth want to look at. It's expensive but that's really the only downside.
Netfilter might be something you look into as well. But then again that is just IPTables in one way anyway, so you may not.
If all else fails, there are a few I've found just by searching for them, but mostly they are IPTables front ends.
http://www.linux-firewall-tools.com/linux/
-
December 7th, 2004, 04:28 AM
#3
ipcop is an excellent firewall "suite". I say suite because it includes everything you need. squid, vpn, packet queueing, firewall obviously... and then some. ipcop.org
Shorewall..haven't used it.
astaro security linux is a "commercial" tool but it's free for home use. I'd check them out..it's strikingly similar to ipcop...hmmm opensource is great isn't it?
openbsd 'pf'..I have loads of hours spent with this, and I enjoy it. It does what I need it to do, and has a few nice additions..works on Freebsd and netbsd iirc.
iptables/netfilter...well you already know those. I'd use fwbuilder to build a basic ruleset.
I still question the entire "hardware" vs. "software" firewalls..because what is a *nix box dedicated to firewalling? any hardware firewall still runs an os at the core, no matter how embedded or stripped...so meh.
ttfn..work is calling
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
December 7th, 2004, 11:55 AM
#4
There was some thread around here about not really being anything that should be considered a hardware firewall... it's nothing more than a dedicated system for firewalling. I love seeing that "Alpha Shield" gimmick in London Drugs... "100% unhackable security" pfft! :P
/ \\
-
December 7th, 2004, 02:54 PM
#5
I personally use a dedicated Linux box running a huge iptables script, it has worked very adequately for what we need. My buddy recently used Sunscreen for a university departments firewall and he got hooked on it. I am always looking for the "next thing" for our firewall solution so perhaps IPcop might be beneficial, or I coulf always dust off my Solaris discs again.....
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
December 7th, 2004, 03:04 PM
#6
Re: Various *nix based firewalls, pro and cons of each?
Originally posted here by poohsuntzu
I'm semi-familiar with ipchains/tables, but I'm afraid that just isn't going to cut it any longer. Could you guys give me a run down of different nixbased software firewalls, as well as pros and cons of each based upon your own experience? Some links to tutorial research would be great too. Thanks guys!
i will assume that this is for personal use, right? don't deploy this stuff into a production environment unless you are very familiar with it or have someone who is always available who is familiar with it.
we use FreeBSD solution.
pro's - it's very stable and reliable and configurable
cons - tricky and time consuming to setup.
regards
SL
-
December 7th, 2004, 11:42 PM
#7
Is there a reason why you don't feel Netfilter can do the job?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 7th, 2004, 11:44 PM
#8
Well it can, completely. Was just trying to open up to other solutions and learn them than just iptables Chances are.. I'll stick to iptables though.
-
December 8th, 2004, 12:40 AM
#9
Originally posted here by chsh
Is there a reason why you don't feel Netfilter can do the job?
While I like Netfilter for home or small workgroups, I am starting to require all firewalls at the edge of my networks to have awareness of both Anti-Virus and Windows patch levels before granting
permission to VPN clients.
I have not seen Netfilter or NF based products on the radar with this capability.
Added firewall bonuses are the ability to easily terminate connections other than Ethernet.
NF based products fall short here.
Also, while the NF modules and add-ons along with additional software are starting to become
better at layer 3 and application awareness, I feel the start to finish configuration is still a bit
long.
GORE: I too wish to play with Sunscreen. It looks too cool.
The NOKIA products I run with Checkpoint are BSD(ish) but heavily modified.
*NIX + Checkpoint is still not a bad way to go tho its feeling old school with all of the turnkey stuff coming out.
I used to refuse to install any hard-drive based firewall seeing it as a likely point of failure but
HDD technology has sure come a long way. Keep em cool and dust free and they will SPIN for a long time these days.
-
December 8th, 2004, 04:08 PM
#10
Originally posted here by poohsuntzu
Well it can, completely. Was just trying to open up to other solutions and learn them than just iptables Chances are.. I'll stick to iptables though.
Never hurts to broaden your horizons. I only asked because of your wording.
Originally posted here by ss2chef
While I like Netfilter for home or small workgroups, I am starting to require all firewalls at the edge of my networks to have awareness of both Anti-Virus and Windows patch levels before granting
permission to VPN clients.
Not being up on VPNs, wouldn't this be a function of your VPN server, not of the firewall?
Also, while the NF modules and add-ons along with additional software are starting to become
better at layer 3 and application awareness, I feel the start to finish configuration is still a bit
long.
Compared to what?
I used to refuse to install any hard-drive based firewall seeing it as a likely point of failure but HDD technology has sure come a long way. Keep em cool and dust free and they will SPIN for a long time these days.
I think almost all *nix firewalls are capable of being run off read-only media like CD.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|