Re: Sinus Firewall

To: Debian Development <debian-firewall@lists.debian.org>
Subject: Re: Sinus Firewall
From: Michael Meskes <meskes@debian.org>
Date: Tue, 28 Dec 1999 15:54:03 +0100
Message-id: <[🔎] 19991228155403.B428@fam-meskes.de>
Mail-followup-to: Debian Development <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] 19991228030827.A30852@lina.inka.de>; from lists@lina.inka.de on Tue, Dec 28, 1999 at 03:08:27AM +0100
References: <[🔎] 19991227163331.A1130@fam-meskes.de> <[🔎] 19991227120717.D3985@sailer.itd.bnl.gov> <[🔎] 19991227192456.A932@fam-meskes.de> <[🔎] 19991228030827.A30852@lina.inka.de>

On Tue, Dec 28, 1999 at 03:08:27AM +0100, Bernd Eckenfels wrote:
> Hallo Michael,

Thanks Bernd.

> Ok, one of the big advantages of sifi (as I evaluated the last tme) is that
> since it is statefull, configuring it is quite easy, since you have to gibe
> only one rule to allow a TCP connection, and not 6 or more. It supports
> spoofing detection (was important for 2.0) itself and it can be scripted to
> do dynamic blocking. Therefore reconfiguration of the rulebase and adding of
> temporary rules is easier. It also supports some protocols better as
> ipchains does (IGMP, RIP, FTP). The gui is a nother neat thing, especially
> in combination with the daemon which can do a lot usefull logging and
> reporting, monitoring and connection killing. The main disadvantage was,

Sounds really interesting. However, I wasn't able to compile it so far. The
Java part simply does not compile. Neither on my Debian machine nor on a
SuSe test installation. Does anyone have a precompiled DEB?

> that it only supports 2 interfaces. I cant say much about stability.

Does not look like too much of an disadvantage does it? Okay, there are some
(historic?) setups that ask the firewall to connect three nets: external,
internal and perimeter.

But if I had to choose I would prefer to have two firewalls anyway and get a
DMZ.

Or am I wrong on this. Once again I'm spend quite some time doing different
things and now I'm pretty outdated with my info.

> Perhaps it is the best to go back to the old application proxies for some
> applications like FTP. A FTP proxy which is using a program to analyze the
> control channel and set up ipportfw/accept rules in kernel mode dynamically
> can be a good solution. You dont need to "pump" the FTP up/downloads through
> usermode but still have the posibillity to intelligent filter the FTP

What exactly do you need this for? I can see two ways of FTP usage, either
incoming with no write persmissions (normally) and outgoing. What really
caused me trouble the last time I set up a firewall was redirecting incoming
FTP to a M$ machine and enabling active usage.

Michael
-- 
Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to:

References:
- Sinus Firewall
  - From: Michael Meskes <meskes@debian.org>
- Re: Sinus Firewall
  - From: Tim Sailer <sailer@sailer.itd.bnl.gov>
- Re: Sinus Firewall
  - From: Michael Meskes <meskes@debian.org>
- Re: Sinus Firewall
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: Firewall
Next by Date: about ipnat
Previous by thread: Re: Sinus Firewall
Next by thread: about ipnat
Index(es):
- Date
- Thread