I just want to make sure you read it on the right tone because it feel like i touched some nerve. i was using ipchains for a few months, then netfilter from 2.3.22, stayed with 2.3.33 for about a year and just moved 8 months ago to 2.4.4 which is ok for me as a soho to medium businesses, depending on application needs and performance issues. ok, my comments are bellow: > -----Original Message----- > From: Oded Arbel [mailto:oded@;typo.co.il] > Sent: Friday, November 01, 2002 11:18 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: big question: FW-1 VS. Linux security tools > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ביום שני, 28 באוקטובר 2002, 08:00, Tzahi Fadida כתב על 'RE: > big question: FW-1 > VS. Linux security tools': > > Netfilter is not yet there because of the gui and tools fw-1 has and > > linux don't > > Hetz specificly asked not to factor the GUI and tools
he asked, but it doesn't mean that it can be ingnored or factored out so quickly. > > > and by tools, i don't mean a software that some kids wrote, > > Hey - don't degrade kids who right software - some of the > best software in the > world was written by kids Thats a POV obviously since i don't remember checkpoint written by kids :) > > > i mean tools > > that can interact with the firewall and with the rules, like virus > > scanning, vpn, and ids, etc.. checkpoint has standards for > these, and > > linux don't > > Standards ? as in - we set the rules, you follow ? yes- Linux i beg the differ. Linux doesn't have a standard like OPSEC. OPSEC is not only a set of rules or some technology, its a framework that is backed by major companies (325 they say). And today you can't really get a good firewall without these integrated tools to complement it. If you don't then, as i said, you get a Lesser firewall. > has those. with > NetFilter you can setup rules to filter packets into a > userland target which was not agreed by any consursium or even a nice mailing list just the guys who wrote netfilter, i am on the mailing list for a few years now. > can do just about anything you want. the fact that no > commercially available > software has been written to take advantage of it (at least > AFAIK), does not > mean that the firewall itself is not good. FW-1 does not have far from it, the firewall is good but its "NOT THERE YET". > those tools > built in either - you need to buy them externally. so with Of course it does. no disrespect, really, i could be wrong also, but check this: http://www.opsec.com/opsecdownload.html the tools are free, even for linux. as for the cost of commercially distributing your product based on them, i didn't talk to them but my guess that if you really want you can find some way to get it(if you have good product) to be soled non profitably(after all, you will be advancing their product). > NetFilter : it has > the capabilities, now go write your external tools why should i?, i have a ready 325 companies who did the job for me. on the other hand if i don't need the BEST solution, i would certainly choose linux as my first choice. > > > In addition there are products from checkpoint that are > hardware based > > and can surely outperform linux on a x86 computer any day > > Let me guess what OS is running those hardware based > products... hmm.. windows so? whats your point. are we on a different discussion here. > ? naa. probably linux > You can embed linux too, and there are several companies that > offer epliances > that run linux as a firewall but these doesn't change the fact that it doesn't have the capabilites to sniff packets or change rules on the fly with 325 companies, seamlessly. it still has a lot of work need to be done to get there. meaning, its not checkpoint. plus, checkpoint is not tied down to linux, so it can run on linux, or it can run on another, maybe better suited software/hardware solution which you can bet there is. > > What you are basicly saying it - Linux is not ready to take > on FW-1 because no > commercial company has yet built firewalls suites (including > everything) > based on NetFilter. well shucks - you know what ? you can > count the companies > that offer firewall suite comparable to Checkpoint's on one > hand and you'd > still be able to hold a fork. that's why Checkpoint are > market leaders not true, i know lots of firewalls, none come close to checkpoint. some are not even around anymore because they sucked or they are redundent. or, because checkpoint had the GREAT idea to raise OPSEC which almost instantly left all firewalls behind. > > you can do with NetFilter whatever you do with FW-1, but it > takes time to get > it right by time, i hope you don't mean the big crunch? and don't forget that netfilter is a linux kernel firewall, and checkpoint can also run on linux with or without netfilter, so netfilter, until it will have all these tools that would interact gracefully as checkpoint OPSEC insures (which i greatly doubt will happen) will always be lesser, and don't forget it still has many flaws like not good enough connection tracking,etc... which you can probably find on their site. > > - -- > Oded > > ::. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE9wkbdkltamOf8EzsRAredAKCwppQqa/FpB4gWtXwFCE0mxlPgJACfZIt1 > XZrVmpfH2WTKTROZNQEg35o= > =lE1E > -----END PGP SIGNATURE----- > > > > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
