With iptables, why do we need other firewall software

Hi,

I'm wondering, with iptables in 2.4 and 2.6 kernels, is there
still a need for firewall software for Linux?

If so, what are the benefits of usnig a particular firewall
software?

Thanks,
Ching

On Don, 10 Jun 2004 at 16:23 GMT, ctt wrote:
> Hi,
>
> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there
> still a need for firewall software for Linux?
>
> If so, what are the benefits of usnig a particular firewall
> software?
>
> Thanks,
> Ching

Perhaps a stupid questions, however: Is there any third party
firewall-implementation for Linux?

--

Robert...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking ctt <(E-Mail Removed)> suggested:
> Hi,

> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there
> still a need for firewall software for Linux?

> If so, what are the benefits of usnig a particular firewall
> software?

There's no other firewall then iptables, which is the user space
tool to maintain the kernel's firewall capabilities.

You perhaps mean some fancy setup scripts/GUI tools many distro
have? Sure there's absolutely no need, all you want is vi(m). But
then those tools are thought to ease setup.

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyJb6AkPEju3Se5QRApR2AKDYKI5Gi4AkR9b3bLQ3o4 NmA/vi9gCgl1ka
l2jCbJgpsCMztRyfV9CxQ4g=
=C5bw
-----END PGP SIGNATURE-----

On Thu, 10 Jun 2004 18:43:00 +0200, Robert W. wrote:

> On Don, 10 Jun 2004 at 16:23 GMT, ctt wrote:
>> Hi,
>>
>> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there still a
>> need for firewall software for Linux?
>>
>> If so, what are the benefits of usnig a particular firewall software?
>>
>> Thanks,
>> Ching
>
> Perhaps a stupid questions, however: Is there any third party
> firewall-implementation for Linux?

Perhaps a stupid answer in a group where open source software is popular:
Checkpoint Firewall-1 is available for those who are inclined to pay for
it

A Nokia appliance firewall running Firewall-1 is actually running a Linux
based system. All for only four or five times the price of an equivalent
PC with iptables. And a very large multiple of the price of the discarded
PI/II which is sufficient for many firewall requirements.

To be fair Firewall-1 does have some additional features which iptables
alone doesn't provide and has a decent administrative GUI for those who
like that sort of thing. But if you just want an administrative GUI for
iptables, there's http://www.fwbuilder.org/ which I find very useful for
complex firewalls (I'm using it to administer one with around 1800
iptables rules which would be a bit cumbersome with vi. And there are
Open Source packages available which will do pretty much everything
Firewall-1 will do (except possibly make managers think they've got a
proper product).

I think you can guess where my preferences lie.

BTW in any sort of industrial strength environment I believe that a
dedicated firewall is required. I would not want to protect a web server
with just an iptables firewall running on the server itself for instance.
The extra degree of insulation is worthwhile. It is easier to compromise a
machine if it's running lots of services. But often the dedicated firewall
can be the aforementioned discarded PI/II running headless under a shelf.
Of course, an additional firewall on the server does no harm.

Regards, Ian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Ian Northeast <(E-Mail Removed)> suggested:
> On Thu, 10 Jun 2004 18:43:00 +0200, Robert W. wrote:

>> On Don, 10 Jun 2004 at 16:23 GMT, ctt wrote:
>>> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there still a
>>> need for firewall software for Linux?
[..]

> Perhaps a stupid answer in a group where open source software is popular:
> Checkpoint Firewall-1 is available for those who are inclined to pay for
> it
[..]

> To be fair Firewall-1 does have some additional features which iptables
> alone doesn't provide and has a decent administrative GUI for those who

AFAIR it doesn't even have a simple (or any) way to limit
logging, like iptables.

But then, it's not really worth mentioning anyway, if such a
critical sw doesn't come with source, would you trust it?

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyMzeAkPEju3Se5QRAjOpAJ4/X0ZStH3uAYeBSaB0kptfflbCfQCglxXw
j+aQi/XpguRPB3mugR2Cr6Y=
=+j2L
-----END PGP SIGNATURE-----

On Thu, 10 Jun 2004 21:04:31 +0000, Michael Heiming wrote:


> In comp.os.linux.networking Ian Northeast
> <(E-Mail Removed)> suggested:

>> Perhaps a stupid answer in a group where open source software is
>> popular: Checkpoint Firewall-1 is available for those who are inclined
>> to pay for it
> [..]
>
>> To be fair Firewall-1 does have some additional features which iptables
>> alone doesn't provide and has a decent administrative GUI for those who

> But then, it's not really worth mentioning anyway, if such a critical sw
> doesn't come with source, would you trust it?

Would *I* trust it? Or would my managers trust it?

The answers are of course different.

As it happens we have both Checkpoint Firewall-1 firewalls managed by an
ISP and a scrap PII with iptables managed by me (there is a spare sitting
on top of it in case the crappy old hardware lets go).

Anyone care to guess which one has the 100% no failure record and has
never had a change gone wrong?

Or which one the management wants to replace with the other?

The only possible argument I can see for this ludicrous policy is that
there's only one of me and I am a single point of failure. But it wouldn't
take me long to do a little training.

Regards, Ian

In article <vvump1-(E-Mail Removed)>, Michael Heiming <michael+(E-Mail Removed)> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>NotDashEscaped: You need GnuPG to verify this message
>
>In comp.os.linux.networking Ian Northeast <(E-Mail Removed)>
> suggested:
>> On Thu, 10 Jun 2004 18:43:00 +0200, Robert W. wrote:
>
>>> On Don, 10 Jun 2004 at 16:23 GMT, ctt wrote:
>>>> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there still a
>>>> need for firewall software for Linux?
>[..]
>
>> Perhaps a stupid answer in a group where open source software is popular:
>> Checkpoint Firewall-1 is available for those who are inclined to pay for
>> it
>[..]
>
>> To be fair Firewall-1 does have some additional features which iptables
>> alone doesn't provide and has a decent administrative GUI for those who
>
>AFAIR it doesn't even have a simple (or any) way to limit
>logging, like iptables.

Could you please explain that? I work with FireWall-1 every day. If you don't
want logging, you simply turn it off for those rules you don't want to log.

Using ipchain/iptable force you to understand what is going on, while FW-1 let
you do things very easy without having to have a deep understanding of how IP
is working.

>But then, it's not really worth mentioning anyway, if such a
>critical sw doesn't come with source, would you trust it?

FW-1 has been state-of-the-art for a long time, when it comes to firewalls. It
seems like many users around the world is trusting them. But how can one be
100% sure?

--
Jørn Dahl-Stamnes

(E-Mail Removed) (ctt) writes:

> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there still
> a need for firewall software for Linux?

iptables does not have certain functionality that other software may
have.

For example, PF (originally on OpenBSD, but being ported to FreeBSD)
has CARP: it allows you to have multiple firewalls and if the primary
goes down others can take over transparently. The state of the
connections is synchronized between the firewalls. Is there such
functionality in the default setup of iptables under 2.4/2.6?

iptables also does not have an easy way to send traffic to a
particular interface: you have to use marks and multiple routing
tables. PF (and IPFilter) have in their syntax a way to say "send
this back to this interface" without having to modify any routing
tables.

So yes, there are some cases where iptables cannot handle
things. (I'm sure I'll be corrected if I'm wrong on either of the two
above cases.

--
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

J?rn Dahl-Stamnes <(E-Mail Removed)> wrote:
> In article <vvump1-(E-Mail Removed)>, Michael Heiming
> <michael+(E-Mail Removed)> wrote:

>>AFAIR it [Firewall-1] doesn't even have a simple (or any) way to limit
>>logging, like iptables.
>
> Could you please explain that? I work with FireWall-1 every day. If
> you don't want logging, you simply turn it off for those rules you
> don't want to log.

I believe he means that you can't perform rate limiting using FW1 for
log messages. For instance, if you get a lot of activity that matches a
particular log, you can help to prevent this from filling your logs by
matching the logging rule only if it matches at a rate lower than you
specify. Example

iptables ... -m limit --limit 5/minute -j LOG \
--log-prefix "SYN and FIN both set"

> Using ipchain/iptable force you to understand what is going on, while
> FW-1 let you do things very easy without having to have a deep
> understanding of how IP is working.

You don't particulary need a _deep_ understanding of how IP works, but
you _do_ need to have a reasonable understanding of IP networking.
Anyone who doesn't has no business running a _real_ firewall.

\begin{rant}
By `real', I mean a firewall system that runs on a router or such, no
one of the crappy host-based firewalls that you sometimes see on Windows
boxen, even if they can be useful. As an admin experienced in iptables
and with a good knowledge of IP, these consumer-grade products just end
up irrritating the hell out of me.
\end{rant}

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

David Magda <dmagda+(E-Mail Removed)> wrote
news:(E-Mail Removed):
> (E-Mail Removed) (ctt) writes:
>
>> I'm wondering, with iptables in 2.4 and 2.6 kernels, is there still
>> a need for firewall software for Linux?
>
> iptables does not have certain functionality that other software may
> have.

Don't confuse software and software.

iptables is the underlaying tools to manage the network kernel filtering
rules. This one of the componment of a "full firewall" software.

You may not compare iptables and other firewall solution.

You should add or use other "bricks" to build a full firewall :

- rules generator to simplify and optimize rule producing
- iproute2 for advanced routing
- log analyser to forward security alert
- intrusion dection system (e.g. snort)
- nice/easy administration interface
....

> For example, PF (originally on OpenBSD, but being ported to FreeBSD)
> has CARP: it allows you to have multiple firewalls and if the primary
> goes down others can take over transparently. The state of the
> connections is synchronized between the firewalls. Is there such
> functionality in the default setup of iptables under 2.4/2.6?
>
> iptables also does not have an easy way to send traffic to a
> particular interface: you have to use marks and multiple routing
> tables. PF (and IPFilter) have in their syntax a way to say "send
> this back to this interface" without having to modify any routing
> tables.
>
> So yes, there are some cases where iptables cannot handle
> things. (I'm sure I'll be corrected if I'm wrong on either of the two
> above cases.

Don't forget that there is a complementary tools for iptables : iproute2

http://lartc.org/

- use multiple gateway
- route packet to interface
....

Regards