NetFilter is up to the basics stateful firewall capabilities. The main problem with Net Filter is that it is over configurable. It will assume nothing, thus leaving the entire configuration to you. Everyone in this list who know the TCP state table well enough to reimplement it with Net Filter please raise their hands.....? Didn't think so (without trying to claim that I CAN. Maybe I can, maybe I can't, havn't got around to doing it yet).
The main thing to understand is that the question, as asked, is meaningless. The question is not whether "How much Linux tools can do and what they can't compared to Checkpoint's FW-1?". The question is "can they pose an alternative?". The answer, as far as Net Filter stands today, is defenitely yes, assuming you want to pay the price. I think people covered the places where the open source community is not even close to being "there", and the price needs to be paid.
If you want a feature for feature comparison, you will defenitely find some features missing. The fact that no true "state" is kept (for example - no proper tracking of connection's state, no ability to limit packets based on packets seen so far on the same connection), no control over timeouts (a side effect of the previous point), and no proper SYN attack protection (does Net Filter support SYN cookies on machines other than the gateway itself? Either way, SYN cookies is not an adequate solution on it's own, in my opinion. For those who wonder, rate limiting is not a SYN attack protection AT ALL. It is more alike throwing the baby with the water). These are the most acute deficiencies of Net Filter I can think of at the moment.
Shachar
IMPORTANT DISCLAIMER
These are my opinions. Mine mine mine mine mine. My Preciousss. Sorry, I get distracted. The thing I am trying to say is that attributing these opinions to anyone else but me, whether I am connected to them or not, should be done at the at the attributer's discretion, and above all, responsibility.
Hetz Ben-Hamo wrote:
Hi people,
I have been debating with a friend of mine about this question:
As it stands today - can Linux be considered to be FW-1 replacement? how much Linux tools (iptables, etc) can do and what can't they do compared to Checkpoint's FW-1? (and I'm not talking about the GUI)
I'm NOT talking about VPN or extras like that. (btw - there's a rumor that there's a Linux VPN client beta from Checkpoint - anyone knows where/how to get it or buy it?)
I would like to ask people with experience on this issue to answer please - sys admins, security guru's, and other people with knowledge of this issue..
Thanks,
Hetz
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
