Re: Differences between firewall-packages like FW-1 and packetfilter

[Chris Brenton <cbrenton () sover net>]

"Dameon D. Welch-Abernathy" wrote:
> > Both do stateful filtering. FW-1 maintains state on TCP & UDP only. I
> > would have to review iptables to see if it includes anything else but I
> > know it at least covers these two as well.
>
> Depending on what mood FireWall-1 is in, you can also have it do stateful
> inspection of ICMP (as of 4.0).

But its broken. It will not accept proper ICMP errors (for example
unreachable, TTL expired, etc.) back in unless you deal with it in a
static fashion. IMHO broken is no better than non-existant.

> But what about PhoneBoy? (Though I suppose I don't answer *every* technical
> query that comes across the list -- if I did, I wouldn't have a life!)

Dameon, you know I have the greatest respect for you and your site. I
strongly feel that you've probably done more to support FW-1 than anyone
else.

With that said, you do it because you want to, not because you work for
CP and they have given you a directive as part of supporting their
product. The same is true for Lance, Dave Long, and the multitude of
others who stepped up to the plate where CP has been lacking in their
support. My point was CP does very little to support their own product.
Taking Joe DiPietro's white paper area off-line is a good example.

> > [ The problem with INSPECT is ]
> > A) The language is undocumented (maybe 5 people in the world fully
> > understand it)
>
> I'm trying to broaden my own understanding of it, but I assume the 5 people
> in the world you are referring to work at Check Point. :-)

You've just kind of made my point. If people like you and Lance don't
feel fluent with Inspect, what chance does the average admin have of
leveraging this "feature"?

> The basic language itself hasn't changed, though some of the built-in
> functions have changed.

Agreed, but it was at least enough to break most of the modifications I
wrote for 3.x. If the language was documented, breaks would not have
happened because you would be aware of the changes. As it stands you
have to upgrade, see what breaks, and then figure out why. Not a happy
solution.

> > C) CP support will not talk to you if you've modified SI yourself
>
> I think that's because of "A".

I also think its because most of CP's direct support staff does not
understand Inspect either. 

> > The big difference for me is the logging ability. FW-1 only logs the
> > first packet, does not report header info beyond IP & port numbers, and
> > in some cases lies about what it lets through and what it does not.
>
> If you really wanted to, you could modify FireWall-1 to do this as well.
> But again, it involves modifying INSPECT code... :-)

Given the above, I will *not* go there. ;)

Later!
Chris
-- 
**************************************
cbrenton () sover net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/