Stearns28 wrote ...
-- Cut --
>How does IPCHAINS stack up against its counterparts in the Windows
>world like Checkpoint, *Wall and others? What features found in
>commercial packages that IPCHAINS lacks?
>Also, is hardware firewall better that a software firewall?
-- Cut --
I've recently changed a firewall from a Checkpoint FW1 to one based on Red
Hat 7.0 and ipchains plus FreeS/WAN.
In favour of FW1 is the GUI-based administration software and some built-in
functionality like SQL*Net proxy (doesn't work with the encrypted SQL*Net
protocol of Oracle 8i, though) and other proxies (there are some GUI-based
packages for ipchains too, I've heard, but I haven't tried any of them as
In favour of the Linux-based firewall is the price (typically only HW +
setup time/consultancy fees for Linux) as commercial SW tends to be rather
expensive, like the VPN option for FW1. A Linux firewall is very flexible,
if you know how to do some programming -- like a POP-gateway I built that
protects the inner POP-server by allowing only the most basic commands and
by verifying line lengths to avoid buffer overflows.
One Linux firewall I built, masquerades internal addresses and assigns
specific external addresses to some internal computers when connecting to a
certain server that only allows users access from some predefined IP-address
as extra protection. This same firewall accepts and redirects print-jobs
from specific external computers to internal print-servers and creates VPN
connections to externally hosted web-servers for administration.
I haven't seen anything in FW1 like the TIS Firewall Toolkit SMTP-gateway as
a secure frontend for mail servers, the POP-gateway as a secure frontend for
POP-servers or the SuSE FTP-proxy that allows incoming FTP connections to
masqueraded computer (preferably in a demilitarised zone).
All-in-all, I'm in favour of a Linux firewall as I earn more in consultancy
fees :-) and still provide the customer with a cheaper and more flexible
solution than one using FW1.