Re: [fw-wiz] Open Source Personal Firewall?
From: Charles Swiger (cswiger_at_mac.com)
To: Breno Jacinto <firstname.lastname@example.org> Date: Fri, 12 Dec 2003 13:41:37 -0500
On Dec 7, 2003, at 10:29 PM, Breno Jacinto wrote:
> I've been looking for an OSS Personal Firewall (PF) but googling for
> had no results. Of course we have great options for real firewalls (pf
> is pretty decent), but I'm looking for a solution for the grandma-like
> user. Any take?
Googling for "firewall open source" should produce significant numbers
of relevant examples. You haven't mentioned what capabilities this
firewall should have, although anything reasonable will have a baseline
of simple packet filtering, stateful packet filtering, NAT, and some
combination or subset of DHCP/zeroconf/uPnP for internal hosts. (1)
Are you looking for an appliance, or are you looking to install OSS
software onto an existing machine (presumably commodity Intel
hardware)? If the latter, you could start with OpenBSD or a hardened
flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the
author of IPFW).
> What about the commercial ones, such as Zonealarm, BlackIce etc.. any
> good recommendations (as well as bad ones)?
If grandma already has a Linksys multiport broadband router, using the
bundled firewall is likely to be an easier solution than adding another
device, particularly if grandma doesn't really understand what a
network is and would like someone else to plug in all of the cables for
> After reading the 'Personal Firewall FAQ' (www.fefe.de/pffaq), which
> is way radical; a quote:
> "You can't improve security of an untrusted system by installing
> another untrustworthy piece of software. You don't have the source
> code for the operating system or for the new piece of software, so it
> is impossible to
> verify that it does anything at all, let alone improve security.
The people who host this list perform testing and auditing of firewall
devices. It most certainly is possible to determine whether a firewall
"does anything at all", and it is fairly easy to show that even trivial
firewall rules (permit established, permit outbound keeping state, deny
the rest) improve security quite a bit over having directly routable
> A firewall is a computer security concept, not a piece of software.
> Vendors selling you a piece of software (or even a piece of hardware)
> under the label "firewall" are defrauding you."
A firewall is a security concept, agreed, but a firewall consists of
software running on a physical machine or device of some sort, with an
appropriate network topology to segregate traffic, which implements a
-- -Chuck 1: And it's been the latter which has tended to result in bugs with most firewalls, another example of the classic tradeoff between ease-of-use and security... _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards