Jonathan Ben-Avraham wrote:
> There are modules like ip_masq_ftp that do the same thing for almost any
> protocol.
>
Not exactly. The modules such like ip_masq_ftp enable NATing for
protocols that carry the IP in the protocol and such, but what
Firewall-1 does that ipchains doesn't is called "Stateful Inspection":
it keeps states on connections - it will activly change the "allowed
connection" table in response to states of the connetion on all levels.
Now upchains is a simple stateless packet filtering machanism, it keeps
no connection states.
Netfilter (IPChains for 2.4.0 kernels), on the other hand, has a module
built on top of it (which is part of Netfilter)that tracks connections,
and therfor I believe allows for "Stateful Inspection" by Linux.
Another issue is VPN. Linux has VPN support but AFAIK it is limited.
The biggest "capabilities" difference though is management. There some
mighty fine ipchains GUI's and the command line interface is one of the
best there is (and I *prefer* using CLIs over GUIs), but FW-1 GUI (On
Windows - it's the second of two reasons I run NT in VMware on my work
PC) with all it's many flaws (in previous versions at least), is a
superiour managment interface. I can control all Firewalling , VPN and
remote access points from one unified interface for all the networks and
servers I manage. In Linux I have to deal with IPchains, SSH, routing
tables and the like.
Now if someone will come and write a new firewall based on the new
Netfilter and add better VPN support and integrate all the managment
into one interface he'll have a problem only with the reputation but
till then there is a capabilits gap between Linux (or Open Source) and
FW-1 on these terms.
All have I said is true for corporate level admin. For anything less
then that (or just poor ;-) plain Linux is one of the better options
(barring OpenBSD maybe).
Gilad.
--
Gilad Ben-Yossef <[EMAIL PROTECTED]>
http://benyossef.com :: +972(54)756701
"Don't confuse me with facts, my mind's already made up!"
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
