On Tue, Dec 28, 1999 at 03:08:27AM +0100, Bernd Eckenfels wrote: > Hallo Michael,
Thanks Bernd. > Ok, one of the big advantages of sifi (as I evaluated the last tme) is that > since it is statefull, configuring it is quite easy, since you have to gibe > only one rule to allow a TCP connection, and not 6 or more. It supports > spoofing detection (was important for 2.0) itself and it can be scripted to > do dynamic blocking. Therefore reconfiguration of the rulebase and adding of > temporary rules is easier. It also supports some protocols better as > ipchains does (IGMP, RIP, FTP). The gui is a nother neat thing, especially > in combination with the daemon which can do a lot usefull logging and > reporting, monitoring and connection killing. The main disadvantage was, Sounds really interesting. However, I wasn't able to compile it so far. The Java part simply does not compile. Neither on my Debian machine nor on a SuSe test installation. Does anyone have a precompiled DEB? > that it only supports 2 interfaces. I cant say much about stability. Does not look like too much of an disadvantage does it? Okay, there are some (historic?) setups that ask the firewall to connect three nets: external, internal and perimeter. But if I had to choose I would prefer to have two firewalls anyway and get a DMZ. Or am I wrong on this. Once again I'm spend quite some time doing different things and now I'm pretty outdated with my info. > Perhaps it is the best to go back to the old application proxies for some > applications like FTP. A FTP proxy which is using a program to analyze the > control channel and set up ipportfw/accept rules in kernel mode dynamically > can be a good solution. You dont need to "pump" the FTP up/downloads through > usermode but still have the posibillity to intelligent filter the FTP What exactly do you need this for? I can see two ways of FTP usage, either incoming with no write persmissions (normally) and outgoing. What really caused me trouble the last time I set up a firewall was redirecting incoming FTP to a M$ machine and enabling active usage. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: [email protected] | Use PostgreSQL!
