Re: Open Source Personal Firewall?

[Charles Swiger <cswiger () mac com>]

On Dec 7, 2003, at 10:29 PM, Breno Jacinto wrote:
> I've been looking for an OSS Personal Firewall (PF) but googling for 
> one
> had no results. Of course we have great options for real firewalls (pf
> is pretty decent), but I'm looking for a solution for the grandma-like 
> user.  Any take?

Googling for "firewall open source" should produce significant numbers 
of relevant examples.  You haven't mentioned what capabilities this 
firewall should have, although anything reasonable will have a baseline 
of simple packet filtering, stateful packet filtering, NAT, and some 
combination or subset of DHCP/zeroconf/uPnP for internal hosts.  (1)

Are you looking for an appliance, or are you looking to install OSS 
software onto an existing machine (presumably commodity Intel 
hardware)?  If the latter, you could start with OpenBSD or a hardened 
flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the 
author of IPFW).

>   What about the commercial ones, such as Zonealarm, BlackIce etc.. any
>   good recommendations (as well as bad ones)?

If grandma already has a Linksys multiport broadband router, using the 
bundled firewall is likely to be an easier solution than adding another 
device, particularly if grandma doesn't really understand what a 
network is and would like someone else to plug in all of the cables for 
her.  :-)

>   After reading the 'Personal Firewall FAQ' (www.fefe.de/pffaq), which
>   is way radical; a quote:
>
> "You can't improve security of an untrusted system by installing 
> another untrustworthy piece of software.  You don't have the source 
> code for the operating system or for the new piece of software, so it 
> is impossible to
> verify that it does anything at all, let alone improve security.

The people who host this list perform testing and auditing of firewall 
devices.  It most certainly is possible to determine whether a firewall 
"does anything at all", and it is fairly easy to show that even trivial 
firewall rules (permit established, permit outbound keeping state, deny 
the rest) improve security quite a bit over having directly routable 
machines.

>   A firewall is a computer security concept, not a piece of software.  
> Vendors selling you a piece of software (or even a piece of hardware) 
> under the label "firewall" are defrauding you."

A firewall is a security concept, agreed, but a firewall consists of 
software running on a physical machine or device of some sort, with an 
appropriate network topology to segregate traffic, which implements a 
security policy.

--
-Chuck

1: And it's been the latter which has tended to result in bugs with 
most firewalls, another example of the classic tradeoff between 
ease-of-use and security...

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards