Firewall Wizards mailing list archives
Re: Differences between firewall-packages like FW-1 and packetfilter
From: Chris Brenton <cbrenton () sover net>
Date: Tue, 16 May 2000 07:13:34 -0400
"Dameon D. Welch-Abernathy" wrote:
Both do stateful filtering. FW-1 maintains state on TCP & UDP only. I would have to review iptables to see if it includes anything else but I know it at least covers these two as well.Depending on what mood FireWall-1 is in, you can also have it do stateful inspection of ICMP (as of 4.0).
But its broken. It will not accept proper ICMP errors (for example unreachable, TTL expired, etc.) back in unless you deal with it in a static fashion. IMHO broken is no better than non-existant.
But what about PhoneBoy? (Though I suppose I don't answer *every* technical query that comes across the list -- if I did, I wouldn't have a life!)
Dameon, you know I have the greatest respect for you and your site. I strongly feel that you've probably done more to support FW-1 than anyone else. With that said, you do it because you want to, not because you work for CP and they have given you a directive as part of supporting their product. The same is true for Lance, Dave Long, and the multitude of others who stepped up to the plate where CP has been lacking in their support. My point was CP does very little to support their own product. Taking Joe DiPietro's white paper area off-line is a good example.
[ The problem with INSPECT is ] A) The language is undocumented (maybe 5 people in the world fully understand it)I'm trying to broaden my own understanding of it, but I assume the 5 people in the world you are referring to work at Check Point. :-)
You've just kind of made my point. If people like you and Lance don't feel fluent with Inspect, what chance does the average admin have of leveraging this "feature"?
The basic language itself hasn't changed, though some of the built-in functions have changed.
Agreed, but it was at least enough to break most of the modifications I wrote for 3.x. If the language was documented, breaks would not have happened because you would be aware of the changes. As it stands you have to upgrade, see what breaks, and then figure out why. Not a happy solution.
C) CP support will not talk to you if you've modified SI yourselfI think that's because of "A".
I also think its because most of CP's direct support staff does not understand Inspect either.
The big difference for me is the logging ability. FW-1 only logs the first packet, does not report header info beyond IP & port numbers, and in some cases lies about what it lets through and what it does not.If you really wanted to, you could modify FireWall-1 to do this as well. But again, it involves modifying INSPECT code... :-)
Given the above, I will *not* go there. ;) Later! Chris -- ************************************** cbrenton () sover net * Mastering Cisco Routers http://www.amazon.com/exec/obidos/ASIN/078212643X/ * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/
Current thread:
- Differences between firewall-packages like FW-1 and packetfilter Andreas Pretzsch (May 12)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Dameon D. Welch-Abernathy (May 17)
- Re: Differences between firewall-packages like FW-1 and packetfilter Chris Brenton (May 15)
- <Possible follow-ups>
- Re: Differences between firewall-packages like FW-1 and packetfilter ark (May 17)
- RE: Differences between firewall-packages like FW-1 and packetfilter ark (May 19)