Hallo Michael, (this is a response to Michael Meskes asking about the differences of the ip packet filters available for linux. Since my summary is rather long i guess i will post it to some additional mailinglists :) On Mon, Dec 27, 1999 at 07:24:56PM +0100, Michael Meskes wrote: > I really would like to know that since testing takes too much time. :-) Ok, one of the big advantages of sifi (as I evaluated the last tme) is that since it is statefull, configuring it is quite easy, since you have to gibe only one rule to allow a TCP connection, and not 6 or more. It supports spoofing detection (was important for 2.0) itself and it can be scripted to do dynamic blocking. Therefore reconfiguration of the rulebase and adding of temporary rules is easier. It also supports some protocols better as ipchains does (IGMP, RIP, FTP). The gui is a nother neat thing, especially in combination with the daemon which can do a lot usefull logging and reporting, monitoring and connection killing. The main disadvantage was, that it only supports 2 interfaces. I cant say much about stability. ipchains on the other hand which is not statefull has its most disadvantes in the number of rules you need to configure it thight, and that it isnt statefull then. The reporting/monitoring/logging requires external tools if you want to make it comprehensive. Scripts like fwctl (debian package) realy lower the pain for setting up the ipchains rules (since you use one rule which is used to produce all the depending rules). I currently use fwctl to configure ipchains and be very happy with it (especially less skilled admins can work with it). Automatic rules generators and firewall rules compilers/guis (FCT, ipfwadm dotfile, mason, DNi, TkFirewall, gfcc) help you, too. BTW: fwctl does not remove the need for deny rules for smaller, included networks (i.e. if you allow access to INTERNET object, this will allow access to all other destination addresses - including local firewall addresses - too. I hope netfilter will make this better since fwctl wont feature that unless somebody starts to add it :) Another option is ipfilter btw! It combines ipchains rules with statefull rules and a "best-match" strategy... lowering the number of needed rules very much. Sadly there whre a lot of glibc compile problems and therefore i am not sure if a current linux port and kernel modules exists. But if *BSD/SUN is an option defintely look into that cool tool. As I said already netfilter is developing to be a neet succcesor to ipchains, with additional support like a unified state management. And there is commercial sponsoring (watchguard). A word about statefullness: personally i like statefull solutions because they are easy (and therefore less error prone) to configure because there are less rules. Advantages like denying stealth scan or some fancy DoS attacks are not so important for me. If I care about those I realy would use application filters. Of course "statefull inspection" can add some features to packet filtering if you want to restrict protocol usage (e.g restrict use of the FTP DELE command). But thats another case for application level proxies (at leat in low traffic setups). Another, rather unknwon tool is spf from Brian Murrell, its adding and deleting rules by a userspace daemon in ipchains setup. Perhaps it is the best to go back to the old application proxies for some applications like FTP. A FTP proxy which is using a program to analyze the control channel and set up ipportfw/accept rules in kernel mode dynamically can be a good solution. You dont need to "pump" the FTP up/downloads through usermode but still have the posibillity to intelligent filter the FTP control channel. Not sure if any free proxies do that, currently. But i havnt looked into juniper or the SuSE Proxy KIT in the last few month. Okay, here is a list of some of the mentioned tools (more from www.freefire.org) a) fwtk (perl modules to configure ipchains) http://indev.insu.com/Fwctl/fwctl.html http://www.rustcorp.com/linux/ipchains/ b) netfilter (next generation of linux kernel firewall) http://netfilter.kernelnotes.org/ c) SINUS Firewall (statefull linux kernel firewall) http://www.ifi.unizh.ch/ikm/SINUS/firewall/ d) spf ftp://ftp.interlinx.bc.ca/pub/spf e) ipfilter http://cheops.anu.edu.au/~avalon/ip-filter.html commercial: http://www.progressive-systems.com/firewall.html http://www.watchguard.com/ Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
