> > Of course I want start a flamewar!! :) that is the idea...
> >
> > I heard that the Linux Firewalls doesn't harden the operating system, Is
> > this true? and I heard that Checkpoint have a FW-1 for Linux.
>
> Yes, yes it is. The reason is simple: a Linux firewall
> (ipfwadm/ipchains) does exactly that. It firewalls. Nothing more.
> Which follows the whole Linux/Unix philosophy -- do one thing, and do
> it well.
There is the issue of masquerading/NAT. For example, I'll use OpenBSD in
this case, since I know it a bit better. When using NAT (masquerading
masquerading under a different name), one has the option of redirecting to
a program, such as Squid (caching); I know Linux has similar options.
Squid, in turn, checks for any web pages (non-dated) cached, finding it,
sends it to the one that requested it, otherwise it does the request from
the internet itself. This can be, and generally is preferred to be,
completely transparent to the subnet behind Squid/NAT. But it also allows
a slew of other options, particularly with respect to protocol checking
and filtering.
(The trick is to figure out the precedence, particularly with respect to
NAT/filter rules; which happens first? But that's a whole different topic
altogether.)
Alas, I'm sure that's not what you need to hear about, but it is useful to
know (in my humble opinion).
> > For Linux plataforms Are there only packet filters firewalls? or Are there
> > Proxy and stateful?
>
> Think about this... you said that Checkpoint has released Firewall-1
> for Linux. Is it a packet filtering firewall? Or a proxy firewall?
> Or is it both? (which I believe it is)
CP FW-1 is both. :-) I don't know if it has been released under Linux,
but it works under Solaris, and as such it'll most likely port to Linux
quite well.
Ipchains is a packet filter, and has no higher protocol recognition than
TCP/IP,UDP, and ICMP, as far as I know. Which is where things like Squid
come in, acting as a caching proxy.
> As for the stateful packet filtering, I've always not understood that.
> So long as you can specify IP flags within your filtering rules, it is
> technically a stateful firewall. You just need to specify the SYN and
> FIN flags.
Not quite true about the SYN/FIN flags, although they are an (the)
indication of packet state, the 'keep state' also keeps track of the order
of the packets, and packets that are (reasonably) out of order are bounced
(note, however, that some duplicated packets tend to make it through on
buggy connections, with some NATs).
Cheers!
Brian
> > [EMAIL PROTECTED] writes:
> >>Careful: you might start a flamewar. :)
> >>
> >>Just quick, while I have time.
> >>
> >>The advantages of a Linux firewall:
> >> * free
> >> * runs on anything
> >> * can be locked down (ie. disable all services)
> >>
> >>disadvantages
> >> * can be difficult to configure
> >> * is difficult to lock down
> >> * packet filtering has issues with ICQ and other ICMP packets
> >>
> >>Personal preferred alternatives:
> >>
> >> OpenBSD. More secure, in general. Cleaner design. Although founded in
> >>aesthetics, my preference is a reflection of opinion.
> >>
> >>Cheers!
> >>Brian
> >>
> >>> Hi everybody:
> >>>
> >>> Does anyone tell me the advantages and disvantages of a Linux Firewall?
> >>>
> >>>
> >>> Saludos
> >>> Fredy R. Santana V.
> >>> Ingeniero Civil El�ctrico
> >>> Orion 2000 - Consultor�a en Seguridad y Redes
> >>> La Concepcion 322 piso 12, Providencia.
> >>> Fono: 6403944 - [EMAIL PROTECTED]
> >>>
> >>> -
> >>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >>> "unsubscribe firewalls" in the body of the message.]
> >>>
> >>
> >>
> >
> >
> >
> > Saludos
> > Fredy R. Santana V.
> > Ingeniero Civil El�ctrico
> > Orion 2000 - Consultor�a en Seguridad y Redes
> > La Concepcion 322 piso 12, Providencia.
> > Fono: 6403944 - [EMAIL PROTECTED]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
