Re: Linux IPFilter

["Paul D. Robertson" <proberts () patriot net>]

On Wed, 27 Feb 2002, rod.marten () domail maricopa edu wrote:

> Has anyone seen a comparison between various commercial Firewalls
> (Cisco, Checkpoint) and a linux IPfilter based firewall?  With the
> exception of possible configuration errors, is the IPfilter as secure as
> a commercial firewall?  Lastly, has anyone had experiences using such
> firewalls in large environments?
>
> I am looking at deploying a firewall based on RedHat Linux hardened with
> Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration
> interface.

IPFilter is *BSD based unless you're planning on a 2.0.34 kernel, IPChains 
and IPTables are the Linux filtering solutions.

I like to give tools time to stabalize before evaluating them, and the 
Linux packet filter code has a rate of change (as in "toss out the old 
stuff and do it differently) that I'm not comfortable in running at the 
moment.  Add to that the implementation errors in the associated 
per-protocol stuff and it's not the best picture (certainly it's not been 
disasterous, but it hasn't been pristine either.)

IPFilter has also had its fair share of problems (as have commercial 
products, so nobody really has it "right" yet), but it's been around a lot 
longer and hasn't changed markedly in quite a while (state was the last 
major thing I can think of.)  That's imporant if you're going to support a 
ruleset over time.

I've used IPFilter/NetBSD boxen as packet filters in a large environment, 
but only as a component of a multi-tiered solution that included 
application layer gateways (on different machines) and screening routers.  
PPro 200's were more than sufficient for 2-3,000 local users and ~35,000 
e-mail users, even when aggressively returning RSTs for packets in 
response to /16 probes from the overly curious.

If I deploy a Linux firewall, I tend to use it as an application layer 
gateway rather than a packet filter (relying on routers to do the 
filtering on each side of it.)  I'm more comfortable with the maturity of the 
parts of the OS necessary for that function (as well as my ability to 
muck with them.)  If the Netfilter based stuff sticks around beyond 2.4, then 
I'll probably start evaluating it, but I'm pretty grumpy about what I use in 
firewalls.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards