Date: Tue, 26 May 1998 11:53:40 -0500 From: Kim Shrier <kim@createtech.com> To: Douglas Ng <Douglas@alcamedia.com> Cc: "'isp@FreeBSD.ORG'" <isp@FreeBSD.ORG> Subject: Re: Firewall software Message-ID: <356AF394.C1AF1DC3@createtech.com> References: <D1C34C054DEAD111ACF700C0A850A45A58DB@gershwin.careergateway.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I would recommend ipfw combined with the fwtk that is in the ports
collection. Gauntlet does not run under FreeBSD and in my opinion
violates several rules as to how to build a firewall. My experience
is with the BSDI version. It requires a full developer installation
and uses X-windows. They also use a HTML/Java configuration setup
that was not working too well the last time I used it. When I make
a firewall, I remove everything that is not needed (compilers,
editors, X-windows, most programs in /usr/bin). I also prefer to
manually configure the proxies and packet filtering rules because
then you understand what your firewall is doing. TIS is assuming
that the customer does not understand all the issues about setting
up a firewall and this is mainly true. It's just that they use the
firewall as a development machine in order to modify the kernel
during installation and then leave all the development software
on the machine. I would have much less problem if they cleaned up
after themselves after installation. Firewall-1 only runs on NT
and uses "statefull inspection" as its method of providing protection.
This is considered to be less secure than proxies. Since maintaining
anything on NT is a pain, I usually avoid NT if at all possible.
I am just starting to look at the delegate proxy software that is in
the ports collection, but I haven't had time to set up a box using
that software. It looks like the delegate proxy will do transparent
proxying which is nicer than the fwtk proxies which don't support
this. (Although there are some patches to the fwtk proxies to add
transparent support but I can't locate a reference to the patches
right now.)
PS. Please do not send the body of your email message as a MIME
attachment. It is much easier to read if you just send it
the normal way.
Douglas Ng wrote:
>
>Hi all
>
>Does anyone have any recommendation for a firewall software to use on
>the FreeBSD box?
>I have been referred to Gauntlett and Checkpoint Firewall-1. How do
>they compare? Or would they be an overkill and instead I should use
>simply ipfw that comes with freeBSD?
>
>Thanks in advance.
>
>Douglas Stevenson Ng
>W3Labs, The Active Idea Company
--
Kim Shrier - kim@createtech.com
Director of Development - CreateTech, Inc.
voice 214-748-2233 - fax 214-748-3377
www.createtech.com - Custom Internet Solutions.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?356AF394.C1AF1DC3>