Firewall Wizards mailing list archives
Re: Open Source Personal Firewall?
From: Charles Swiger <cswiger () mac com>
Date: Fri, 12 Dec 2003 13:41:37 -0500
On Dec 7, 2003, at 10:29 PM, Breno Jacinto wrote:
I've been looking for an OSS Personal Firewall (PF) but googling for onehad no results. Of course we have great options for real firewalls (pfis pretty decent), but I'm looking for a solution for the grandma-like user. Any take?
Googling for "firewall open source" should produce significant numbers of relevant examples. You haven't mentioned what capabilities this firewall should have, although anything reasonable will have a baseline of simple packet filtering, stateful packet filtering, NAT, and some combination or subset of DHCP/zeroconf/uPnP for internal hosts. (1)
Are you looking for an appliance, or are you looking to install OSS software onto an existing machine (presumably commodity Intel hardware)? If the latter, you could start with OpenBSD or a hardened flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the author of IPFW).
What about the commercial ones, such as Zonealarm, BlackIce etc.. any good recommendations (as well as bad ones)?
If grandma already has a Linksys multiport broadband router, using the bundled firewall is likely to be an easier solution than adding another device, particularly if grandma doesn't really understand what a network is and would like someone else to plug in all of the cables for her. :-)
After reading the 'Personal Firewall FAQ' (www.fefe.de/pffaq), which is way radical; a quote:"You can't improve security of an untrusted system by installing another untrustworthy piece of software. You don't have the source code for the operating system or for the new piece of software, so it is impossible toverify that it does anything at all, let alone improve security.
The people who host this list perform testing and auditing of firewall devices. It most certainly is possible to determine whether a firewall "does anything at all", and it is fairly easy to show that even trivial firewall rules (permit established, permit outbound keeping state, deny the rest) improve security quite a bit over having directly routable machines.
A firewall is a computer security concept, not a piece of software. Vendors selling you a piece of software (or even a piece of hardware) under the label "firewall" are defrauding you."
A firewall is a security concept, agreed, but a firewall consists of software running on a physical machine or device of some sort, with an appropriate network topology to segregate traffic, which implements a security policy.
-- -Chuck1: And it's been the latter which has tended to result in bugs with most firewalls, another example of the classic tradeoff between ease-of-use and security...
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Open Source Personal Firewall? Breno Jacinto (Dec 11)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 12)
- Re: Open Source Personal Firewall? Breno Jacinto (Dec 13)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 14)
- Re: Open Source Personal Firewall? Breno Jacinto (Dec 13)
- <Possible follow-ups>
- RE: Open Source Personal Firewall? Petreski, Samuel (Dec 12)
- Re: Open Source Personal Firewall? Charles Swiger (Dec 12)