RE: [FW1] Linux/Checkpoint Statefull inspection comparison

["Matthew Ostwald" <m.ostwald@FW1-NOSPAMspeedwell.com.au>]

Title: Linux/Checkpoint Statefull inspection comparison

Hi Mark (and list),

Netfilter (part of the ipchains replacement), not exactly a part of the 2.4 kernel, is very good and it does do stateful inspection through via its state module (which incidentally, is how it tracks connections for NAT). It is extremely flexible and very, very fast. In addition to stateful inspection it also protects against a wide range of flood type attacks.

 

However, this flexibility comes at a cost. It is painful to set up (in comparison to FW1 at any rate). Unless you are very comfortable with the older ipchains and have a solid understanding of TCP/UDP/ICMP packet structure, stick with FW1.

You might want to check out the following URLs if you are still interested:

http://www.gnumonks.org/papers/netfilter-lk2000/presentation.html and

http://netfilter.kernelnotes.org/

 

Matthew Ostwald
Network Engineer
Speedwell Media Pty Ltd
Phone: (07) 3236 9737
Fax: (07) 3236 9738

Level 10, Leichardt St
PO Box 293
Spring Hill, Queensland 4004, Australia

 

-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of Mark Squire
Sent: Friday, 9 February 2001 5:47 AM
To: Firewall-1 Mailing List (E-mail)
Subject: [FW1] Linux/Checkpoint Statefull inspection comparison

Hi all,
The Linux kernel now has stateful inspection from what I have read.  Have any of you compared it to Checkpoint's stateful inspection?  If so, how do you think it compares?  Is it just a cheap immitation, or is it worth the while?

C:\Mark