Re: pf firewall question
Apologies accepted. bofh schreef: On 5/1/06, Lars Hansson <[EMAIL PROTECTED]> wrote: On Tuesday 02 May 2006 05:31, bofh wrote: I must say though, a well designed gui can be a great help in managing a [...] not believe him. Now that I'm managing a small bunch of checkpoint boxes with a few hundred rules, and some vpns, it *does* make things easier. Maybe that says more about the design of Checkpoint than it does about pf. Hence that bit about a well designed gui. Not all guis are designed equally well. We just had a nortel sales guy tell us that their new ($$) contivity admin software is "just like checkpoint". We tried it. OK, it was like checkpoint just like some ugly drag queen[1] is just like a supermodel because he put on a bikini. Yucks. [1] Apologies to anyone who has hots for ugly drag queens.
Re: pf firewall question
On 5/1/06, Lars Hansson <[EMAIL PROTECTED]> wrote: > > On Tuesday 02 May 2006 05:31, bofh wrote: > > > I must say though, a well designed gui can be a great help in managing a > [...] > > not believe him. Now that I'm managing a small bunch of checkpoint > boxes > > with a few hundred rules, and some vpns, it *does* make things easier. > > Maybe that says more about the design of Checkpoint than it does about pf. Hence that bit about a well designed gui. Not all guis are designed equally well. We just had a nortel sales guy tell us that their new ($$) contivity admin software is "just like checkpoint". We tried it. OK, it was like checkpoint just like some ugly drag queen[1] is just like a supermodel because he put on a bikini. Yucks. [1] Apologies to anyone who has hots for ugly drag queens.
Re: pf firewall question
On Tuesday 02 May 2006 05:31, bofh wrote: > I must say though, a well designed gui can be a great help in managing a > set of firewalls, or a firewall with complex rules. I like pf for the > cleanliness of syntax and simplicity of doing things, but the guy who ran > the checkpoint firewalls for 50+ sets of firewalls and 2000+ rules across > them all told me he would not have been able to manage it with pf, I did > not believe him. Now that I'm managing a small bunch of checkpoint boxes > with a few hundred rules, and some vpns, it *does* make things easier. Maybe that says more about the design of Checkpoint than it does about pf. --- Lars Hansson
Re: pf firewall question
On 4/30/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2006/04/30 06:34, S t i n g r a y wrote: > > Now what i want to know , maybe is O T in this list > > but what is the diffrence , i mean pf in openBSD is > > refered to as a firewall for home or small offices ? > > why is that , i mean what is the criteria of an > > enterprise firewall what is the diffrence between pf & > > MS ISA / cisco pix or checkpoint ? > > performance ? stability or features ? > > marketing and a manager-friendly gui. I must say though, a well designed gui can be a great help in managing a set of firewalls, or a firewall with complex rules. I like pf for the cleanliness of syntax and simplicity of doing things, but the guy who ran the checkpoint firewalls for 50+ sets of firewalls and 2000+ rules across them all told me he would not have been able to manage it with pf, I did not believe him. Now that I'm managing a small bunch of checkpoint boxes with a few hundred rules, and some vpns, it *does* make things easier. I know about the traditional argument of making complex things too simple, but simplifying things for an experienced admin is good thing. Lusers shooting themselves in the foot is not my problem. And anyone thinking of implementing an ISA server is simply asking for it :) PIX is another bother. Fantastic idea, copying checkpoint's gui. But when you use it, and it tells you, "this feature is not available in the gui", that rapidly becomes old. As far as performance goes, anyone implementing any kind of firewalls for a business should be using hardware that's relatively recent - unless you have ungodly amounts of specialized rules, performance should not be an issue.
Re: pf firewall question
On 4/30/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2006/04/30 06:34, S t i n g r a y wrote: > Now what i want to know , maybe is O T in this list > but what is the diffrence , i mean pf in openBSD is > refered to as a firewall for home or small offices ? > why is that , i mean what is the criteria of an > enterprise firewall what is the diffrence between pf & > MS ISA / cisco pix or checkpoint ? > performance ? stability or features ? marketing and a manager-friendly gui. To add more...I've used PF/CARP to deploy perimeter defense for companies with users ranging from 1000+ to 4000+. Does that tell you something? Please don't fall into the trap of marketing crap like "Application Layer Checks", "Deep Packet Inspection", etc. Nothing more than proxies with too many false positives. Again, you can check if the protocol abides by RFCs with enormous expense, but what use is it when the embedded exploit code is not fully checked within the payload? (check the archives why PF does not do this). PF is powerful, efficient, and keeps it simple...you are better off handling Application Layer checks closer to the crappy application that is full of bugs.. _Raju -- May the packets be with you.
Re: pf firewall question
S t i n g r a y wrote: > > Now what i want to know , maybe is O T in this list > but what is the diffrence , i mean pf in openBSD is > refered to as a firewall for home or small offices ? > why is that , i mean what is the criteria of an > enterprise firewall what is the diffrence between pf & > MS ISA / cisco pix or checkpoint ? > performance ? stability or features ? pf in OpenBSD is what the developers use to protect their own systems. As such it is probably better and stronger than anything you can buy. What you can buy is a high price tag, maybe some hand-holding, and probably a false sense of security. There may be some features that are worth it. Maybe, Depends. Documentation? Start with man 4 pf There is also a PF User's Guide.
Re: pf firewall question
On Sun, Apr 30, 2006 at 06:34:09AM -0700, S t i n g r a y wrote: > Now what i want to know , maybe is O T in this list > but what is the diffrence , i mean pf in openBSD is > refered to as a firewall for home or small offices ? > why is that , i mean what is the criteria of an > enterprise firewall what is the diffrence between pf & > MS ISA / cisco pix or checkpoint ? > performance ? stability or features ? > > regards pf is a fine packet filter, and is very useful in any situation, inside and outside the big corporations. It can also do traffic shaping/queueing via ALTQ. It is not, however, an application-level proxy (Squid, Apache's mod_proxy, ftp-proxy), an IDS (Snort), or high-availability system (carp, the various routing daemons, some application-level proxies). Finally, as pointed out, it doesn't have a snazzy GUI, though there are some projects to provide one[1]. Joachim [1] Whether or not that is actually a good idea is not relevant to this discussion.
Re: pf firewall question
S t i n g r a y wrote: Now what i want to know , maybe is O T in this list but what is the diffrence , i mean pf in openBSD is refered to as a firewall for home or small offices ? why is that , i mean what is the criteria of an enterprise firewall what is the diffrence between pf & MS ISA / cisco pix or checkpoint ? performance ? stability or features ? I find it really irritating when people make statements like that without citing references. I'm guessing you are reading this: http://www.openbsd.org/faq/pf/example1.html This is an EXAMPLE CONFIGURATION for a home or small office. It is a starting point to understanding PF. It touches upon a few of PFs features, and helps people understand a simple configuration. If I'd given you a ten-thousand line pf.conf file, you probably would have said, "PF is too complicated for me". "Enterprise products" usually just means you got money to waste on inferior crap, like Cisco or MS ISA or Checkpoint. People who have a job to do other than padding their resume will look at actual features, not buzzword compliance. Here are two differences between PF and commercial products... * One is created by professional networkers. One is written by amateurs. Commercial firewall products are written by amateurs. People who don't actually work in the networking business. They work in labs, they take feedback from people who actually use the products in real world environments, but they by definition are not on the front lines. PF is written and maintained by people on the front lines. For them, it isn't about waiting to see if enough customers demand a fix, it's their butts, their business that's on the line. It gets fixed or improved QUICKLY. * One has deliberate limits put in place, to make sure you have to pay more as your needs increase. If you live by selling products, the last thing you want to do is have a product that just works without needing additional upgrades and support and replacement when your needs grow (=you can afford to pay more). The other has no deliberate limits...costs nothing to evaluate, costs nothing to have a spare for testing ideas on, can be in your staff's home's for more practice, etc. Nick.
Re: pf firewall question
On 2006.04.30, at 11:34 PM, S t i n g r a y wrote: enterprise firewall what is the diffrence between pf & MS ISA / cisco pix or checkpoint ? performance ? stability or features ? Marketing which is designed to put a fright into people who have responsibility for systems and data which are not theirs. That marketing then takes the frightened IT manager and gives them the warm fuzzies by talking about enterprise level support, SLA's, industry standards, well chosen (and seemingly bogus) TCO case studies and sometimes horror stories of people who did not choose to use them. It is all bullshit though. Because all that is designed to get your money and the enterprise systems cost in a big way... then they start talking about on-going support. I've worked in some places which had 5 figure (AU) support contracts for firewall, IDS, etc and the systems were flakey (reboot every few days to weeks!), the phone support was shit and the people that came out were clueless. The difference is marketing targeted to the people that matter to the vendor. The easily frightened managers and not the nerdy types who would rather put together a couple of decent quality machines with OpenBSD, pf and CARP, etc. Shane
Re: pf firewall question
S t i n g r a y <[EMAIL PROTECTED]> writes: > Now what i want to know , maybe is O T in this list but what is the > diffrence , i mean pf in openBSD is refered to as a firewall for home > or small offices ? No it isn't. The FAQ merely contains an example of how to use PF as a home or small office firewall.
Re: pf firewall question
On 2006/04/30 06:34, S t i n g r a y wrote: > Now what i want to know , maybe is O T in this list > but what is the diffrence , i mean pf in openBSD is > refered to as a firewall for home or small offices ? > why is that , i mean what is the criteria of an > enterprise firewall what is the diffrence between pf & > MS ISA / cisco pix or checkpoint ? > performance ? stability or features ? marketing and a manager-friendly gui.
pf firewall question
Now what i want to know , maybe is O T in this list but what is the diffrence , i mean pf in openBSD is refered to as a firewall for home or small offices ? why is that , i mean what is the criteria of an enterprise firewall what is the diffrence between pf & MS ISA / cisco pix or checkpoint ? performance ? stability or features ? regards *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
