Firewalling a network

Eric S. Johansson esj at harvee.org
Sun Aug 14 03:39:29 UTC 2005


Douglas Alves wrote:
> On another thread somebody suggested looking at http://www.IPcop.org/
> 
> Could I get the same result of FIREWALLING A NETWORK by using
> Firestarter?
> 
> What is the difference between IPcop and other firewall software?
> 
> I read IPcop must be on a PC physically between the DSL modem and the
> router or switch. I guess this would be the same physical configuration
> even if I were to use Firestarter, right?

since it was probably me that opened my big mouth on IPCop, I should 
probably answer you here as well.  :-)

The only time IPCop and "another system with fire starter" are 
equivalent is if you are using dedicated machines in both circumstances 
for a firewall and protecting a network with that dedicated firewall. 
If you are just running fire starter to isolate your own machine from 
the world, no they are not equivalent.

truth be told, any Linux based firewall is more or less the same.  They 
are built out of the same components, use the same tools for various 
services.  The difference is primarily in the user interface.  If you 
are more interested in fiddling with a firewall, use something like 
shorewall or even IPtables directly.  I'm sure you'll have no end of fun 
making and breaking your firewall.

But if you just want to get the job done and have a firewall you can 
ignore until the next time it needs upgrades, then try IPCop.  I'm sure 
there are others out there with good user interfaces but I don't know 
them so I cannot give you a good comparison.  All I know is that if you 
have good hardware, from CD-ROM to working firewall is under 15 minutes. 
  Pinholes for services is another 10 minutes, VPN network to network 
ranges anywhere from 10 minutes to an hour depending on factors I 
haven't quite figured out yet.

We really tried hard to design a firewall that is task oriented.  If I 
can ever get a chance to breathe and work on the IPCop again, I have 
some ideas on how to make the firewall detect servers and lead the user 
to doing the right thing for exposing those services or not.

as I said above, all firewalls are basically the same.  There are some 
important differences of functionality regarding types of address 
translation, bridging, DMZ exposure etc. but they're all basically the 
same.  The primary difference is how well the user interface maps from 
the task (i.e. expose this SMTP server to the outside world) to the 
internal system representation (i.e. firewall rules).  The closer the 
user interface maps to the task, the more likely you are to do the right 
thing.  IPCop is not perfect in this regard.  It's just really good.

---eric





More information about the ubuntu-users mailing list