Hosting Provided By

Re: Linux firewall/IDS/NAT suggestions

From: Seth Arnold <sarnold(at)wirex.com>
Date: Tue Jun 03 2003 - 13:04:00 EDT

On Sun, Jun 01, 2003 at 09:52:38PM -0500, Jimi Thompson wrote:
> If you need routing gear, check out an open source project called
> Freesco.

It is my understanding Freesco is based on the 2.0.x series of kernels. This means whatever firewall they provide is not going to be a stateful firewall.

There are many benefits to a stateful firewall. In short, they require viewing the TCP session setup packets before allowing the follow-on TCP packets through the filter. Stateless firewalls cannot make this requirement -- they typically filter only the session setup packets! This means specially-crafted packets can slip right through the firewall.

I don't know how big a concern this is for the original poster's organizaion.. I _do_ know that stateful firewalls are just that much nicer, so I'd recommend something newer than the freesco project. :)

-- 
"Learning curve encryption is much more powerful than
eliptical curve encryption." -- Alan Olsen

application/pgp-signature attachment: stored

Received on Tue Jun 3 14:15:30 2003

This message: [ Message body ]
Next message: Seth Arnold: "Re: Linux firewall/IDS/NAT suggestions"
Previous message: Arthur Corliss: "Re: Linux firewall/IDS/NAT suggestions"
In reply to Jimi Thompson: "Re: Linux firewall/IDS/NAT suggestions"
Next in thread: Alex Russell: "Re: Linux firewall/IDS/NAT suggestions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:20 EDT

Do you need help?