Re: [fw-wiz] Open Source Personal Firewall?

From: Charles Swiger (
Date: 12/12/03

  • Next message: Dario Calia: "Re: [fw-wiz] PIX Authentication Question"
    To: Breno Jacinto <>
    Date: Fri, 12 Dec 2003 13:41:37 -0500

    On Dec 7, 2003, at 10:29 PM, Breno Jacinto wrote:
    > I've been looking for an OSS Personal Firewall (PF) but googling for
    > one
    > had no results. Of course we have great options for real firewalls (pf
    > is pretty decent), but I'm looking for a solution for the grandma-like
    > user. Any take?

    Googling for "firewall open source" should produce significant numbers
    of relevant examples. You haven't mentioned what capabilities this
    firewall should have, although anything reasonable will have a baseline
    of simple packet filtering, stateful packet filtering, NAT, and some
    combination or subset of DHCP/zeroconf/uPnP for internal hosts. (1)

    Are you looking for an appliance, or are you looking to install OSS
    software onto an existing machine (presumably commodity Intel
    hardware)? If the latter, you could start with OpenBSD or a hardened
    flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the
    author of IPFW).

    > What about the commercial ones, such as Zonealarm, BlackIce etc.. any
    > good recommendations (as well as bad ones)?

    If grandma already has a Linksys multiport broadband router, using the
    bundled firewall is likely to be an easier solution than adding another
    device, particularly if grandma doesn't really understand what a
    network is and would like someone else to plug in all of the cables for
    her. :-)

    > After reading the 'Personal Firewall FAQ' (, which
    > is way radical; a quote:
    > "You can't improve security of an untrusted system by installing
    > another untrustworthy piece of software. You don't have the source
    > code for the operating system or for the new piece of software, so it
    > is impossible to
    > verify that it does anything at all, let alone improve security.

    The people who host this list perform testing and auditing of firewall
    devices. It most certainly is possible to determine whether a firewall
    "does anything at all", and it is fairly easy to show that even trivial
    firewall rules (permit established, permit outbound keeping state, deny
    the rest) improve security quite a bit over having directly routable

    > A firewall is a computer security concept, not a piece of software.
    > Vendors selling you a piece of software (or even a piece of hardware)
    > under the label "firewall" are defrauding you."

    A firewall is a security concept, agreed, but a firewall consists of
    software running on a physical machine or device of some sort, with an
    appropriate network topology to segregate traffic, which implements a
    security policy.

    1: And it's been the latter which has tended to result in bugs with 
    most firewalls, another example of the classic tradeoff between 
    ease-of-use and security...
    firewall-wizards mailing list

  • Next message: Dario Calia: "Re: [fw-wiz] PIX Authentication Question"

    Relevant Pages

    • [REVS] Bypassing Client Application Protection Techniques
      ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    • Re: Recycler security issues on IIS server
      ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    • Re:RE : suggestions on a good firewall
      ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
    • Why hasnt Symantec addressed nastier Messenger spoofs
      ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
    • Re: Service pack 2 (XP)
      ... I have a 'theory' that SP2 has a LOT to do with firewall and new browser ... besides those security features. ... The operative word is SPYWARE. ...