Hey all.
I wanted to say thanks for all the advice.
Barry
-Original Message-
From: Jack Bates [mailto:jba...@brightok.net]
Sent: Thursday, November 10, 2011 6:06 PM
To: valdis.kletni...@vt.edu
Cc: nanog@nanog.org
Subject: Re: Firewalls - Ease of Use and Maintenance?
On 11/10/2011 12:24
On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard n...@foobar.org wrote:
On 09/11/2011 19:07, C. Jon Larsen wrote:
As I said, it's not a pf problem. Commercial firewalls will do all this
sort of thing off the shelf. It's a pain to have to write scripts to do
this manually.
Ah... the high cost
The other high cost of free that people sometimes overlook is
liability. Many organizations want/need someone to hold the fire to in
the event of an issue. I believe in open source and am an advocate of
open source computing (this email is from my Debian (NOT UBUNTU) laptop
and my BSD
On Thu, Nov 10, 2011 at 08:52:22AM -0600, -Hammer- wrote:
The other high cost of free that people sometimes overlook is
liability.
Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a
OK. Right off the bat you know I can't and won't. But in some places it
is common practice to make sure agreements are in place to make sure all
parties are protected based on how a product is expected/designed to
perform. I can't say more than that. Realize I'm speaking about things
that are
In a message written on Thu, Nov 10, 2011 at 10:14:26AM -0500, Richard Kulawiec
wrote:
Please point to an instance (case citation, please) where a commercial
firewall vendor has been successfully litigated against -- that is, held
responsible by a court of law for a failure of their product to
Original Message -
From: Leo Bicknell bickn...@ufp.org
Just ask folks like AutoZone or DaimlerChrysler how much it cost to use
Linux when they were sued by SCO and had to defend themselves. Sure,
they prevailed, but I bet tens of thousands of dollars were spent on
litigation.
Sure.
Your hypothetical scenario assumes you're the only organization
compromised by the flaw (or one of very few), and not #3972 on the list,
in which case the company could go bankrupt before a court can hear your
case, and the liability protection they offered you is worth the
electrons it's
Look the thread was about considerations for various firewalls.
Eventually it spun off to be considerations and issues with Open Source
options. I was merely pointing out a consideration that some folks have
to take into account. You don't have to like it, agree with it, or even
believe it.
On Wed, Nov 9, 2011 at 12:44 PM, Nick Hilliard n...@foobar.org wrote:
On 09/11/2011 19:07, C. Jon Larsen wrote:
put the main portion of the conf in subversion as an include file and
factor out local differences in the configs with macros that are defined
in
pf.conf
Easy.
As I said, it's
On Thu, Nov 10, 2011 at 09:39:29AM -0600, -Hammer- wrote:
OK. Right off the bat you know I can't and won't.
Right. I know you can't and won't. I can't either. So we can
summarily dismiss all the concerns about liability because they
have no relationship to reality. You will not be suing
WOW. You really are naive
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/10/2011 12:12 PM, Richard Kulawiec wrote:
On Thu, Nov 10, 2011 at 09:39:29AM -0600, -Hammer- wrote:
OK. Right off the bat you know I can't and won't.
Right. I know you can't and won't. I
On Thu, 10 Nov 2011 12:12:21 CST, -Hammer- said:
WOW. You really are naive
I think Rich has been around long enough that he gets called a *lot* of things
(many of them non-complimentary), but this is the first time this century
anybody's called him *naive*... ;)
pgpe1XQ1ubv8i.pgp
OK. Maybe I jumped to hard. But to tell me that what I'm referring to
has never happened (even though I've participated) just because he
hasn't heard of it is not the best way to approach an argument. When
these things happen, there are agreements in place so it's not
discussed. Especially
Litigation? Wow.
To answer the OP:
Any of the Cisco, Juniper, Sonic, Fortinet, etc can be easy to use to maintain.
But I'd make sure you have a good understanding of what you intend to do, and
what products will satisfy your needs. Demo's are a good idea. One person's
definition of easy may
I changed my mind. I want to clear this up. Here is an example of where
a patent troll skipped over the manufacturer and went straight for the
end customer. There are dozens of these attacking all verticals and
manufacturers alike for various reasons.
On 11/10/2011 12:24 PM, valdis.kletni...@vt.edu wrote:
I think Rich has been around long enough that he gets called a*lot* of things
(many of them non-complimentary), but this is the first time this century
anybody's called him*naive*...;)
Given that all of humankind is naive, it would be
On 9-11-2011 0:06, Jones, Barry wrote:
Hello all.
I am potentially looking at firewall products and wanted suggestions as to
the easiest firewalls to install, configure and maintain? I have a few small
networks ( 50 nodes at one site, 50 odd at another, and maybe 20 at another.
I have
On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote:
I am biased because I am a pfSense developer.
pfSense is a free open source FreeBSD based firewall with the pf
packet filter. http://www.pfsense.org
I'm a very happy user of m0n0wall and I know pfSense is often seen as
the more 'grown up'
On 9-11-2011 11:07, Tom Hill wrote:
On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote:
I am biased because I am a pfSense developer.
pfSense is a free open source FreeBSD based firewall with the pf
packet filter. http://www.pfsense.org
I'm a very happy user of m0n0wall and I know pfSense
On Wed, 2011-11-09 at 12:01 +0100, Seth Mos wrote:
That is correct, it is in the 2.1 branch. Our code has diverged a lot
from m0n0wall where it came from so porting it was not easy. Instead I
wrote the code from scratch.
I wrote the IPv6 code in pfSense 2.1 for the last year and I've been
You will find it very difficult to beat pf on OpenBSD for efficiency,
features, flexibility, robustness, and security. Maintenance is very
easy: edit a configuration file, reload, done.
---rsk
On 11/09/2011 03:22 PM, Richard Kulawiec wrote:
You will find it very difficult to beat pf on OpenBSD for efficiency,
features, flexibility, robustness, and security. Maintenance is very
easy: edit a configuration file, reload, done.
---rsk
An important feature lacking for now as far as I
On 11/09/2011 03:22 PM, Richard Kulawiec wrote:
You will find it very difficult to beat pf on OpenBSD for efficiency,
features, flexibility, robustness, and security. Maintenance is very
easy: edit a configuration file, reload, done.
An important feature lacking for now as far as I know
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block
inappropriate/time wasting content like facebook.
1. That's not a firewall function. That's a censorship
On 09/11/2011 12:22, Richard Kulawiec wrote:
You will find it very difficult to beat pf on OpenBSD for efficiency,
features, flexibility, robustness, and security. Maintenance is very
easy: edit a configuration file, reload, done.
There are several areas where pf falls down. One is
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block
inappropriate/time wasting content like facebook.
1. That's not a firewall function. That's a
I think that firewall/censorship is all semantics. The real question is
the scale of the environment and the culture of your shop and areas of
ownership.
I work in a large enterprise. Combining functions such as L3
firewalling with content filtering with url filtering with XXX can be
OH yeah!
MANAGEMENT: If you have a few FWs and you manage them independently life
is grand. But what if you have 20? 50? 100? and if 30-40 percent of the
policy is the same?
Cisco: NOTHING. Don't let them lie to you.
CheckPoint: Provider 1 and SmartManager.
Juniper: Not sure.
BSD/PFSense:
Hi, I'm at a smaller company that wanted not only firewall capabilities but
application level filtering.
We went with the Palo Alto Networks.
Story is the Palo Alto founder was formerly of Netscreen/Juniper.
Anyhow. We've not had any issues with the PA500's that we use in our
environment. They
On Wed, Nov 9, 2011 at 5:24 AM, Nick Hilliard n...@foobar.org wrote:
On 09/11/2011 12:22, Richard Kulawiec wrote:
You will find it very difficult to beat pf on OpenBSD for efficiency,
features, flexibility, robustness, and security. Maintenance is very
easy: edit a configuration file, reload,
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block inappropriate/time
wasting content like facebook. Addition of this would place it a par
with the best like Sonicwall and Fortinet.
At a previous employer, we utilized a
://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of Learn RouterOS
-Original Message-
From: -Hammer- [mailto:bhmc...@gmail.com]
Sent: Tuesday, November 08, 2011 5:32 PM
To: nanog@nanog.org
Subject: Re: Firewalls - Ease of Use and Maintenance?
You've worked with all the big dogs. What
On Wed, 09 Nov 2011 08:00:01 CST, Joe Greco said:
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block
inappropriate/time wasting content like facebook.
On 09/11/2011 15:18, Jonathan Lassoff wrote:
I've found that this works decently well, via pfsync.
I meant config sync, not state sync.
Nick
I meant config sync, not state sync.
I have multiple deployments of the config synchronization working just fine. :)
On Wed, 9 Nov 2011, Nick Hilliard wrote:
On 09/11/2011 15:18, Jonathan Lassoff wrote:
I've found that this works decently well, via pfsync.
I meant config sync, not state sync.
put the main portion of the conf in subversion as an include file and
factor out local differences in the
: Tuesday, November 08, 2011 5:32 PM
To: nanog@nanog.org
Subject: Re: Firewalls - Ease of Use and Maintenance?
You've worked with all the big dogs. What are you looking for?
Alternative options?
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/08/2011 05:06 PM, Jones, Barry
On Wed, 09 Nov 2011 08:00:01 CST, Joe Greco said:
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
An important feature lacking for now as far as I know is content/web
filtering especially for corporates wishing to block
inappropriate/time wasting content like
On 09/11/2011 19:07, C. Jon Larsen wrote:
put the main portion of the conf in subversion as an include file and
factor out local differences in the configs with macros that are defined in
pf.conf
Easy.
As I said, it's not a pf problem. Commercial firewalls will do all this
sort of thing off
You've worked with all the big dogs. What are you looking for?
Alternative options?
-Hammer-
I was a normal American nerd
-Jack Herer
On 11/08/2011 05:06 PM, Jones, Barry wrote:
Hello all.
I am potentially looking at firewall products and wanted suggestions as to the
easiest firewalls to
As Hammer stated, you hit all the big ones.
ASA's are a classic fallback because of the stability implied by the cisco
name. Complaints about them tend to be cost on getting all the shiny bits
attached to them (IDS, IPS, Content filtering). This coming from a Cisco
partner. I am not a
We work with many vendor's firewalls and our current favorites are Palo Alto
Networks - they're very full-featured and easy to manage.
www.paloaltonetworks.com
I don't want to get all sales-weasel on you but we can help if you want more
info as we are one of their premier partners.
P.S. -
It really depends on what constraints you have. Do you care about:
cost? performance? support?
Personally, for cost-constrained applications of 1 Gbit/s or less
(assuming modestly-sized packets, not all-DNS for example), I like
OpenBSD/pf or Linux/netfilter and generic x86 64-bit servers.
It's
44 matches
Mail list logo