1999-07-28-14:11:02 Marcelo Barbosa Lima:
> What do you prefer, IPfilter or IPchains? I'd like to know about the
> advantages of each one these packets.
Here are some pretty objective facts, which may reflect strengths or
weaknesses of one or the other package, depending on your exact needs:
1. Ipfilter supports stateful filtering, where it will maintain an internal
state table of established TCP connections and specifically and solely
allow the reply packets for those connections through. Ipchains does not
support any kind of connection-table state management as far as I know.
2. Ipfilter runs on many, many Unix varients, including Linux. Ipchains comes
with recent Linux kernels (its predecessor, ipfw, comes with older Linux
kernels, and its successor, netfilter, is under development to ship with
as-yet-unreleased Linux kernels). Neither ipchains nor its brethren are
liable to be available for other platforms.
That's all I can come up in purely objective facts to compare-n-contrast them.
If you are fortunate enough to be able to find a decisive determining point
right there, then the decision process is over. If, and only if, you (a) are
running on Linux _only_ (and don't care that you'll have to re-write your
setup to ipfilter if you ever want to move to another platform) and (b) do not
need the connection-state support of ipfilter, then the decision remains open.
So we enter into opinion. In the realm of opinion, taste, whatever, I'll add a
third point:
3. I find the IPCHAINS-HOWTO to be more helpful than any documentation I could
find for ipfilter. I found it easier to get the basic setup I wanted with
ipchains, thanks to the documentation of the HOWTO.
I use ipchains for hardening hosts, and for adding simple packet filtering to
a router. I don't expect it to add a lot of security; I don't use it as the
_only_ security measure for any firewall setup; I like it as an additional,
redundant layer of protection, and happily use it that way in lots of
settings.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
