Re: [fw-wiz] Open Source Personal Firewall?

From: Charles Swiger (cswiger_at_mac.com)
Date: 12/12/03

  • Next message: Dario Calia: "Re: [fw-wiz] PIX Authentication Question"
    To: Breno Jacinto <breno@gamebox.net>
    Date: Fri, 12 Dec 2003 13:41:37 -0500
    
    

    On Dec 7, 2003, at 10:29 PM, Breno Jacinto wrote:
    > I've been looking for an OSS Personal Firewall (PF) but googling for
    > one
    > had no results. Of course we have great options for real firewalls (pf
    > is pretty decent), but I'm looking for a solution for the grandma-like
    > user. Any take?

    Googling for "firewall open source" should produce significant numbers
    of relevant examples. You haven't mentioned what capabilities this
    firewall should have, although anything reasonable will have a baseline
    of simple packet filtering, stateful packet filtering, NAT, and some
    combination or subset of DHCP/zeroconf/uPnP for internal hosts. (1)

    Are you looking for an appliance, or are you looking to install OSS
    software onto an existing machine (presumably commodity Intel
    hardware)? If the latter, you could start with OpenBSD or a hardened
    flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the
    author of IPFW).

    > What about the commercial ones, such as Zonealarm, BlackIce etc.. any
    > good recommendations (as well as bad ones)?

    If grandma already has a Linksys multiport broadband router, using the
    bundled firewall is likely to be an easier solution than adding another
    device, particularly if grandma doesn't really understand what a
    network is and would like someone else to plug in all of the cables for
    her. :-)

    > After reading the 'Personal Firewall FAQ' (www.fefe.de/pffaq), which
    > is way radical; a quote:
    >
    > "You can't improve security of an untrusted system by installing
    > another untrustworthy piece of software. You don't have the source
    > code for the operating system or for the new piece of software, so it
    > is impossible to
    > verify that it does anything at all, let alone improve security.

    The people who host this list perform testing and auditing of firewall
    devices. It most certainly is possible to determine whether a firewall
    "does anything at all", and it is fairly easy to show that even trivial
    firewall rules (permit established, permit outbound keeping state, deny
    the rest) improve security quite a bit over having directly routable
    machines.

    > A firewall is a computer security concept, not a piece of software.
    > Vendors selling you a piece of software (or even a piece of hardware)
    > under the label "firewall" are defrauding you."

    A firewall is a security concept, agreed, but a firewall consists of
    software running on a physical machine or device of some sort, with an
    appropriate network topology to segregate traffic, which implements a
    security policy.

    -- 
    -Chuck
    1: And it's been the latter which has tended to result in bugs with 
    most firewalls, another example of the classic tradeoff between 
    ease-of-use and security...
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Dario Calia: "Re: [fw-wiz] PIX Authentication Question"