sf firewall for linux?

sf firewall for linux?

Post by smiley flybuck » Sat, 30 Nov 1996 04:00:00



Hello:
   I'm currently involved in a project to evaluate and
develop firewall software.  Has anyone had any experience
using sf firewall for linux?  I just ftp'ed the source
distribution and it looks pretty rich to me so far.  
Any anecdotes, opinions, etc. are welcome.  Thanks.
--

-Cyrus Durgin

 
 
 

sf firewall for linux?

Post by Roland Ekkehard Schm » Tue, 03 Dec 1996 04:00:00


: Hello:
:    I'm currently involved in a project to evaluate and
: develop firewall software.  Has anyone had any experience
: using sf firewall for linux?  I just ftp'ed the source
: distribution and it looks pretty rich to me so far.  
: Any anecdotes, opinions, etc. are welcome.  Thanks.
: --

I am one of the developers of sf firewall. The software is currently
running on several sites at the University Zurich, and it is being used
for several months now by two companies involved in the banking business
(one in Zurich and one in Frankfurt).
Version 0.2.9 seems to be very stable. We have not been reported any
problems or errors.
We are currently extending the firewall. The next version will include
a graphical user interface for remote configuration and administration,
enhanced filter capabilities (passive mode FTP, TCP connection monitoring
and killing, ...), cooperation of multiple firewalls and much more. It
will be released in February or March 1997.
Feel free to mail any questions concerning sf firewall to me or to

Roland Schmid

 
 
 

sf firewall for linux?

Post by Ulrich Eckhard » Wed, 04 Dec 1996 04:00:00


> I am one of the developers of sf firewall. The software is currently
> running on several sites at the University Zurich, and it is being used
> for several months now by two companies involved in the banking business
> (one in Zurich and one in Frankfurt).
> Version 0.2.9 seems to be very stable. We have not been reported any
> problems or errors.
> We are currently extending the firewall. The next version will include
> a graphical user interface for remote configuration and administration,
> enhanced filter capabilities (passive mode FTP, TCP connection monitoring
> and killing, ...), cooperation of multiple firewalls and much more. It
> will be released in February or March 1997.
> Feel free to mail any questions concerning sf firewall to me or to

> Roland Schmid

Hi,

seems interesting. Where can I get more informations about it ?

Uli
--

Truly great madness can not be achieved without significant
intelligence. (Henrik Tikkanen)

 
 
 

sf firewall for linux?

Post by Roland Ekkehard Schm » Wed, 04 Dec 1996 04:00:00


As there seem to be some interested people around, I am reposting the
announcement of the sf firewall:

    ----------------------------------------------------------------------
    sf Firewall Software -- a TCP/IP packet filter for Linux
    Copyright (C) 1996 Robert Muchsel and Roland Schmid
    ----------------------------------------------------------------------

    We have released version 0.2.9 of our sf Firewall Software. It has
    been updated for Linux 2.0.xx kernels. We also fixed some bugs and
    added new features (see changes summary below).

    The software is available from
       ftp://ftp.switch.ch/software/sources/network/sf/sf-0.2.9.tar.gz

    ----------------------------------------------------------------------

    This is version 0.2.9 of the firewall software. It requires Linux 2.0.x
    and will not work with earlier kernel versions (there is a version
    which supports the 1.2.x kernels, please get sf-0.1.tar.gz).

    Documentation is supplied in HTML format (to print, please use your Web
    browser).
    Please read the installation section in the user's guide (user.htm)
    before trying to compile and install the software!

    Feel free to report any problems, bugs, suggestions and comments to

    You can get the latest version of the software from
    ftp://ftp.switch.ch/software/sources/network/sf.

    QUICK OVERVIEW
    --------------

    The sf packet filter & firewall is a free and easy way to protect your
    network from the daily threats of the Internet. It does not guarantee
    perfect security, however it comes with a wealth of features, including:
    - filtering of all header fields in the IP,TCP,UDP,ICMP,IGMP packets
    - intelligent RIP and FTP support
    - easy to understand, text-based configuration
    - dynamic rules, including counters and time-outs
    - extensive logging, alerting, and counter intelligence
    - prevention of packet and address spoofing
    - GNU GPL license :-)

    To install the software, you need a Linux 2.0.x based system. We suggest
    you install a bare-bone system without X or any of the other nifty
    features which tend to have security holes. You should not install user
    accounts on the firewall system. Log-ins other than from the console
    should be forbidden (if you absolutely have to log in remotely, we
    strongly suggest you install a copy of ssh, http://www.cs.hut.fi/ssh).

    Although the software has been subject to thorough testing, and has been
    continuously running without crashes for over 12 months, we are confident
    someone will eventually unconver A BUG in the software. Therefore, we
    christened it "version 0.2.9".

    Please do not use this software as the sole means to protect your top
    secret data. This software is intended for
    - people who want to study firewalls
    - people who don't trust their current firewall
    - and people who currently don't have any protection at all (even if
      there are serious bugs, it cannot get worse, can it?)

    If you have trouble installing or configuring the software despite the
    comprehensive documentation, or if you seek advice in security related

    understand we cannot provide consulting services for free.

    Version 0.2.9
    -------------

    BUG FIXES
    =========
    - fixed minor error in IP packet logger (protocols >20 off by one)

    NEW FEATURES
    ============
    - added new implicit "level oversized:" (works like "level spoof");
      improved detection of oversized IP packets

    Version 0.2.8 (this and later versions work with Linux 2.0.xx only)
    -------------

    BUG FIXES
    =========
    - fixed minor errors in documentation and sample configuration files
    - accept netmask 255.255.255.255
    - eliminated generation of "THIS SHOULD NEVER HAPPEN" log message

    NEW FEATURES
    ============
    - permit 'call' statements in notification levels
    - added 'destport' in LET statements
      (let attackport:sourcehost := destport ...)
    - added 'reject with best' / 'reject with tcp_reset' (equivalent)
      sends TCP reset packet if TCP packet received
            ICMP port unreachable packet if UDP received
            ICMP host unreachable packet else
    - added 'reject with echo_reply' sends echo reply on echo request
      (use to answer pings)
    - print ICMP type in log file
    - added 'report' flag to notification -
      writes data to /var/log/firewall.report
    - provide up-to-date /etc/services file, more sample configs and a
      log view tool

    CHANGES
    =======
    - merged Linux 1.3.x patches from Andi Kleen

      and modified for 2.0.x kernel
    - switched to Linux file system standard
    - updated installation instructions for Linux 2.0.x
    - changed Makefile to optionally use bison/flex instead of yacc/lex,
      added make install
    - switched to configure (GNU Autoconfig)
    - 'sfc show' omits mask if mask is 255.255.255.255
    - updated IP protocol names (RFC 1700 obsoletes RFC 1340, IANA ftp server)
    - moved sfc to /usr/local/sbin
    - strip symbols of modules