LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author]

  From: Mark Newton <newton@atdot.dotat.org>
  To  : Earnshaw, Mike <earnshawm@wa.switch.aust.com>
  Date: Sat, 26 Feb 2000 06:54:54 +1030

Re: <REQ for comments> : Firewalls

On Fri, Feb 25, 2000 at 04:15:26PM +0800, Earnshaw, Mike wrote:

 > I know Linux has firewall code built in, but in an honest explanation how
 > effective is it with regards to commercial products like Firewall-1. I did
 > initially think "well it can't be better, its free", but then I remembered
 > NT .... but I don't require responses that belittle one OS against another,
 > even though it may be merited. I am requesting a more engineered answer:
 > FW-1 is better because .... or Linux surpasses FW-1 in flexibility and ....
 > etc

FW-1 is supposed to do "stateful inspection," which effectively means
that each packet is examined in the context of the packets which have
arrived before it.  So, for example, if you allow SMTP traffic through
it that doesn't mean you're permitting any ol' random TCP packet with a
destination of port 25, you'll only get packets which are SYN-ACKs or
continuations of existing SMTP sessions.

Whether this buys you anything is doubtful:  You'd need some *serious*
bugs in your TCP stack to suffer damage from the kind of traffic FW-1's
stateful inspection blocks -- If you have that much lossage inside
your network you probably deserve to get hacked :-)

Note, incidentally, that NAT is just a variation on stateful inspection,
so it isn't like Linux can't be convinced to do it in the very small
number of cases when you'd actually want it anyway.

Ultimately, they both block packets, and they're both capable of 
proxying network services.  A firewall is a firewall;  there really
isn't that much else that can distinguish them as long as they meet
those basic conditions :-)

    - mark

--------------------------------------------------------------------
I tried an internal modem,                    newton@atdot.dotat.org
     but it hurt when I walked.                          Mark Newton
----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 -----

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author]

Return to the LinuxSA Mailing List Information Page