[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sinus Firewall

Hallo Michael,

(this is a response to Michael Meskes asking about the differences of the ip
packet filters available for linux. Since my summary is rather long i guess
i will post it to some additional mailinglists :)

On Mon, Dec 27, 1999 at 07:24:56PM +0100, Michael Meskes wrote:
> I really would like to know that since testing takes too much time. :-)

Ok, one of the big advantages of sifi (as I evaluated the last tme) is that
since it is statefull, configuring it is quite easy, since you have to gibe
only one rule to allow a TCP connection, and not 6 or more. It supports
spoofing detection (was important for 2.0) itself and it can be scripted to
do dynamic blocking. Therefore reconfiguration of the rulebase and adding of
temporary rules is easier. It also supports some protocols better as
ipchains does (IGMP, RIP, FTP). The gui is a nother neat thing, especially
in combination with the daemon which can do a lot usefull logging and
reporting, monitoring and connection killing. The main disadvantage was,
that it only supports 2 interfaces. I cant say much about stability.

ipchains on the other hand which is not statefull has its most disadvantes
in the number of rules you need to configure it thight, and that it isnt
statefull then. The reporting/monitoring/logging requires external tools if
you want to make it comprehensive.

Scripts like fwctl (debian package) realy lower the pain for setting up the
ipchains rules (since you use one rule which is used to produce all the
depending rules). I currently use fwctl to configure ipchains and be very
happy with it (especially less skilled admins can work with it). Automatic
rules generators and firewall rules compilers/guis (FCT, ipfwadm
dotfile, mason, DNi, TkFirewall, gfcc) help you, too.

BTW: fwctl does not remove the need for deny rules for smaller, included
networks (i.e. if you allow access to INTERNET object, this will allow
access to all other destination addresses - including local firewall
addresses - too. I hope netfilter will make this better since fwctl wont
feature that unless somebody starts to add it :)

Another option is ipfilter btw! It combines ipchains rules with statefull
rules and a "best-match" strategy... lowering the number of needed rules
very much. Sadly there whre a lot of glibc compile problems and therefore i
am not sure if a current linux port and kernel modules exists. But if
*BSD/SUN is an option defintely look into that cool tool.

As I said already netfilter is developing to be a neet succcesor to
ipchains, with additional support like a unified state management. And there
is commercial sponsoring (watchguard).

A word about statefullness: personally i like statefull solutions because
they are easy (and therefore less error prone) to configure because there
are less rules. Advantages like denying stealth scan or some fancy DoS
attacks are not so important for me. If I care about those I realy would use
application filters. Of course "statefull inspection" can add some features
to packet filtering if you want to restrict protocol usage (e.g restrict use
of the FTP DELE command). But thats another case for application level
proxies (at leat in low traffic setups).

Another, rather unknwon tool is spf from Brian Murrell, its adding and
deleting rules by a userspace daemon in ipchains setup.

Perhaps it is the best to go back to the old application proxies for some
applications like FTP. A FTP proxy which is using a program to analyze the
control channel and set up ipportfw/accept rules in kernel mode dynamically
can be a good solution. You dont need to "pump" the FTP up/downloads through
usermode but still have the posibillity to intelligent filter the FTP
control channel. Not sure if any free proxies do that, currently. But i
havnt looked into juniper or the SuSE Proxy KIT in the last few month.

Okay, here is a list of some of the mentioned tools 
(more from www.freefire.org)

a) fwtk (perl modules to configure ipchains)

b) netfilter (next generation of linux kernel firewall)

c) SINUS Firewall (statefull linux kernel firewall)

d) spf

e) ipfilter


  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: