You fail to see my point. PMfirewall is just a gui frontend to ipchains. And to get the terminology straight. - see http://freshmeat.net/projects/pmfirewall/?highlight=pmfirewall " PMFirewall is an Ipchains Firewall and Masquerading Configuration Utility for Linux. It is designed to allow a beginner to build a custom firewall with little or no ipchains experience. This firewall should work for most Workstations, Servers, and Dual NIC routers using either a dialup, DSL, Cable, or LAN setup. It is restrictive to outside attacks while still being as transparent as possible to those inside. " bleh -miah On Sat, Dec 09, 2000 at 12:48:59AM +0100, Oliver Hensel wrote:
Hi
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
And if you read the list, you will realize that I was referencing PMfirewall. Which is a frontend to ipchains.
True, but IPCHAINS it is *not* (just like PMfirewall, SINUS, gfcc, and all those other front ends) an alternative to FWTK or any other proxy-based and/or stateful firewall. IPCHAINS can perfectly act as part of a complete firewall solution, but many other routers (every "enterprise" strength router) has a built-in packetfilter with much higher performance and more reliability (no moving parts!).
My posting was not only directed at your suggestion, in fact I agree with you pretty much. I just wanted to point out that IPCHAINS has not at all the functionality you get from proxy servers.
Greetings olli
Thanks -miah
On Sat, Dec 09, 2000 at 12:07:25AM +0100, Oliver Hensel wrote:
Hi.
On Fri, 8 Dec 2000 jjohnson@penguincomputing.com wrote:
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use.
-miah
Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
FWTK provides proxy servers (nothing passes the firewall without being checked on layer 5/6/7), so you could filter based on content and whatnot (don't know if FWTK itself does that, due to availability of better proxy servers like dnsserver, smtpd, squid etc I didn't bother to look at it in depth)
Linux IPFWADM/IPCHAINS/NetFilter is only a packet filter, checking on layer 3/4 (IP/TCP/UDP/ICMP). Add to that that the former two (under Linux 2.0/2.2) only have static checking available, whereas the much better NetFilter code with dynamic (stateful) inspection is not yet ready for prime time, since it's based on a developmental kernel which is not recommendable for something as sensitive as a firewall.
Hope that clears up some (mis-)conceptions.
Greetings olli
On Fri, Dec 08, 2000 at 11:31:44AM -0500, Fred A. Miller wrote:
jjohnson@penguincomputing.com wrote:
TIS FWTK is a complete waste of time.
PMFirewall is VERY easy to use, and so far as I know, works on ALL "flavors" of Linux.
Fred
-- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ / // /\ / / Cornell Univ. Press Services -/____/_/_//_/_,_/ /_/_\ fm@cupserv.org
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
Oliver Hensel <oliver.hensel@gmx.net> <ohensel@security-academy.de> http://www.ohensel.de/
Training + Consulting
Unix - Linux - Firewalls - Security
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
Oliver Hensel <oliver.hensel@gmx.net> <ohensel@security-academy.de> http://www.ohensel.de/
Training + Consulting
Unix - Linux - Firewalls - Security