[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfilter Vs. FireWall-1 performance/security

To: misc@openbsd.org
Subject: Re: ipfilter Vs. FireWall-1 performance/security
From: Ibrahim Khalifa <maillist@val-axs.net>
Date: Sun, 25 Feb 2001 12:29:42 +0100
Content-Disposition: inline
References: <20010224202000.X5917@sentor.se> <Pine.GSO.4.32.0102242138030.9484-100000@spitfire.crt.se>
User-Agent: Mutt/1.2.5i

On Sat, Feb 24, 2001 at 11:00:01PM +0100, Hakan Olsson wrote:

> > FW-1's GUI is piss poor. However that seems to appeal pissy ppl, which
> > is always those with the say.
> Sounds like neither of you have managed security in larger networks, or
> perhaps for very long. Saying a GUI is bad just because it's a GUI is
> wrong. (Well, perhaps it's true for web-based GUIs. :)

No, I were saying FW-1's GUI is bad. But I do also dislike GUIs in
general too. =) GUIs are usually too restrictive, specially when you
need to do a massupdate...and specially in larger networks with lots
of rules. =) But then, I also prefered the installation system in
OpenBSD 2.1 as opposed to the one today. =)

> administering the firewall. The FW-1 GUI is actually rather good, in my
> opinion, even though it does have it's bad points. I assume there is
> *some* reason Checkpoint has it's share of the market...

The GUI that munged a couple of rules about 50% of the time someone
used it. We had so many problems with the GUI it wasn't even funny.
But as I said, FW-1 is decent. Probably one of the best commercial
software firewalls out there.

> Have you managed to dig through a couple of hundred of lines of IPF/
> CiscoIOS rules without making mistakes in either figuring out what's
> permitted and what's not, or not made errors when doing changes to them?

Never needed hundreds of IOS rules to make it do a decent job, so I can't
say anything there. But I don't think I've made more errors with ipf then
in FW-1s GUI.

> Admittedly, any network that is in the 'many hundreds of rules'-situation
> probably needs to be redesigned anyway. Monolithic firewall systems really
> ought to be a thing of the past...

One would hope so. =)

> PS. Btw, it is perfectly possible to administer the FW-1 just by using
> your favorite text-editor. There is no magic (well, not that much) in
> writing your own INSPECT rules... including rules the gui itself will not
> manage. :)

or fixup rules that the GUI screwed up. =)

//Ibo

References:
- Re: ipfilter Vs. FireWall-1 performance/security
  - From: Ibrahim Khalifa <maillist@val-axs.net>
- Re: ipfilter Vs. FireWall-1 performance/security
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: OpenBSD & FreeBSD on a single hard drive
Next by Date: Re: PHP4
Prev by thread: Re: ipfilter Vs. FireWall-1 performance/security
Next by thread: Re: ipfilter Vs. FireWall-1 performance/security
Index(es):
- Date
- Thread