Tim Sailer wrote: > > On Mon, Nov 29, 1999 at 04:35:47PM +0000, Rene Mayrhofer wrote: > > Kiss Csaba wrote: > > > What type of your firewall ? Packet-filtering or proxy-based or > > > statefull or other > > In principle it is open to any concept. > > We use a combination of packet-filtering (standard linux kernel) and > > proxies (e.g. for ftp which is a nightmare to packet-filter). > > Which proxy package did you use? We (here at BNL) are looking at building > a sitewide 'screened subnet' firewall. I'm having a hard time getting my > mind around the proxies. We will have a bunch of machines running as proxy > servers. Do you run all proxies on all servers? 1 proxy per server? Then, > how do you know which one to go to? I use squid on an own machine when security and performance are needed or some really simple proxies when performance is not essential (there is a ftp-bouncing only proxy whose name I don't remember - some time since I used it, but I found it on freshmeat). Most of the time I use masquerading and port forwarding techniques, because most of my customers want transparency for the clients. The administrators do not have the time to eplain everyone who wants to use a real ftp client how to configure it to use a proxy server. > > But if you use the sifi kernel module, you can have stateful inspection > > as well (I hope that standard kernel 2.4.x will get a stateful > > inspection module sometimes - maybe I will write one using the netfilter > > API). > > Really? It looked like sifi was just packet filtering to me! What kernel > are you running sifi with? I've tried 2.2.10-2.2.12, and it panics the > kernel quite regularly... I used sifi with a 2.0.x kernel sometime. As far as I know, sifi for 2.2.x kernel is still beta and I would not depend on it. Sifi for 2.0.x seems to be a very well written piece of code, including the concepts. But I dislike that it is not as flexible as the standard kernel firewalling mechanism. Just one example: I wanted to manipulate the firewalling rules from a script, not from the GUI - no easy way. You have to create s config file and let sifi activate the rules from the file. I will wait for kernel 2.4.x (x >= 5 :) ) for stateful inspection. Really - the netfilter framework that will be introduced with 2.4.x (it's already in 2.3.x - but for firewalls ?) is conceptually extremely flexible. Stateful inspection can be done with a user level module as far as I understand the documentation.
greets, Rene
