Firewall Wizards mailing list archives
Re: Linux IPFilter
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 28 Feb 2002 08:06:03 -0500 (EST)
On Wed, 27 Feb 2002, rod.marten () domail maricopa edu wrote:
Has anyone seen a comparison between various commercial Firewalls (Cisco, Checkpoint) and a linux IPfilter based firewall? With the exception of possible configuration errors, is the IPfilter as secure as a commercial firewall? Lastly, has anyone had experiences using such firewalls in large environments? I am looking at deploying a firewall based on RedHat Linux hardened with Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration interface.
IPFilter is *BSD based unless you're planning on a 2.0.34 kernel, IPChains and IPTables are the Linux filtering solutions. I like to give tools time to stabalize before evaluating them, and the Linux packet filter code has a rate of change (as in "toss out the old stuff and do it differently) that I'm not comfortable in running at the moment. Add to that the implementation errors in the associated per-protocol stuff and it's not the best picture (certainly it's not been disasterous, but it hasn't been pristine either.) IPFilter has also had its fair share of problems (as have commercial products, so nobody really has it "right" yet), but it's been around a lot longer and hasn't changed markedly in quite a while (state was the last major thing I can think of.) That's imporant if you're going to support a ruleset over time. I've used IPFilter/NetBSD boxen as packet filters in a large environment, but only as a component of a multi-tiered solution that included application layer gateways (on different machines) and screening routers. PPro 200's were more than sufficient for 2-3,000 local users and ~35,000 e-mail users, even when aggressively returning RSTs for packets in response to /16 probes from the overly curious. If I deploy a Linux firewall, I tend to use it as an application layer gateway rather than a packet filter (relying on routers to do the filtering on each side of it.) I'm more comfortable with the maturity of the parts of the OS necessary for that function (as well as my ability to muck with them.) If the Netfilter based stuff sticks around beyond 2.4, then I'll probably start evaluating it, but I'm pretty grumpy about what I use in firewalls. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Linux IPFilter Paul D. Robertson (Mar 01)
- Re: Linux IPFilter rod.marten () domail maricopa edu (Mar 01)
- Re: Linux IPFilter George Ross (Mar 04)
- <Possible follow-ups>
- Re: Linux IPFilter R. DuFresne (Mar 01)
- Re: Linux IPFilter Les Barstow (Mar 01)
- Re:Re: Linux IPFilter mb_lima (Mar 01)