Hi Mark (and
list),
Netfilter (part of
the ipchains replacement), not exactly a part of the 2.4 kernel, is very
good and it does do stateful inspection through via its state module
(which incidentally, is how it tracks connections for NAT). It is extremely
flexible and very, very fast. In addition to stateful inspection it also
protects against a wide range of flood type attacks.
However, this
flexibility comes at a cost. It is painful to set up (in comparison to FW1 at
any rate). Unless you are very comfortable with the older ipchains and have a
solid understanding of TCP/UDP/ICMP packet structure, stick with
FW1.
You might want to
check out the following URLs if you are still interested:
Matthew Ostwald
Network Engineer
Speedwell Media Pty Ltd
Phone: (07) 3236 9737
Fax: (07) 3236 9738
Level 10, Leichardt St
PO Box 293
Spring Hill, Queensland 4004, Australia
Network Engineer
Speedwell Media Pty Ltd
Phone: (07) 3236 9737
Fax: (07) 3236 9738
Level 10, Leichardt St
PO Box 293
Spring Hill, Queensland 4004, Australia
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Squire
Sent: Friday, 9 February 2001 5:47 AM
To: Firewall-1 Mailing List (E-mail)
Subject: [FW1] Linux/Checkpoint Statefull inspection comparisonHi all,
The Linux kernel now has stateful inspection from what I have read. Have any of you compared it to Checkpoint's stateful inspection? If so, how do you think it compares? Is it just a cheap immitation, or is it worth the while?C:\Mark
