Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!newsfeed.internetmci.com!masternews.telia.net!newssrv.ita.tip.net!ubnsrv.unisource.ch!scsing.switch.ch!dino.active.ch!usenet
From: mwiget@linux.mw.active.ch
Newsgroups: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc
Subject: Re: Free firewall?
Followup-To: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc
Date: 14 Feb 1997 15:21:10 GMT
Organization: HB9RWM, Marcel Wiget CH-5036 Oberentfelden
Lines: 159
Message-ID: <5e1vt6$m39@dino.active.ch>
References: <330333EF.48C8@usa.net>
NNTP-Posting-Host: astp.mw.active.ch
X-Newsreader: TIN [version 1.2 PL2]
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:159291 comp.os.linux.networking:68880 comp.unix.bsd.freebsd.misc:35692
Hi,
: I'm looking into setting up a firewall for our network since we'll be
: getting a dedicated connection to the Internet. Since my company is a
: non-profit organization, we don't want to sink $10-$20K into something.
: Is there any "free" firewall software out there that would run under
: FreeBSD or Linux? And if so, does the "you get what you pay for" factor
actually there is a pretty good Firewall solution running on Linux and
developed by some people from ETH in Switzerland. I'm using it myself and
it has a well structured filter definition language and supports dynamic
filters.
See the message below (from comp.os.linux.announce)
- Marcel
Subject: sf Firewall Software 0.2.8 released
Followup-To: comp.os.linux.networking
Date: Sun, 03 Nov 1996 13:18:19 GMT
Organization: Dept. Informatik, Swiss Federal Institute of Technology
Lines: 127
Approved: linux-announce@news.ornl.gov (Lars Wirzenius)
Message-ID: <pgpmoose.199611031518.26697@liw.clinet.fi>
Reply-To: firewall-bugs@switch.ch
NNTP-Posting-Host: localhost
X-Original-Date: 1 Nov 1996 13:02:14 GMT
X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce
iQBVAwUBMnybnTiesvPHtqnBAQGQegH+Oq9DVK2Kj6wMg1JJMcv49Brrbpmh8CEZ
Vo5cjgIfHun7iMjMafSwLviCgEZJtN1qucjlvRDUGXgjIHaqgY23Nw==
=yedC
-----BEGIN PGP SIGNED MESSAGE-----
----------------------------------------------------------------------
sf Firewall Software -- a TCP/IP packet filter for Linux
Copyright (C) 1996 Robert Muchsel and Roland Schmid
----------------------------------------------------------------------
We have released version 0.2.8 of our sf Firewall Software. It has
been updated for Linux 2.0.xx kernels. We also fixed some bugs and
added new features (see changes summary below).
The software is available from
ftp://ftp.switch.ch/software/sources/network/sf/sf-0.2.8.tar.gz
----------------------------------------------------------------------
This is version 0.2.8 of the firewall software. It requires Linux 2.0.x
and will not work with earlier kernel versions (there is a version
which supports the 1.2.x kernels, please get sf-0.1.tar.gz).
Documentation is supplied in Postscript (Letter size) and HTML format.
Please read the installation section in the user's guide (user.htm)
before trying to compile and install the software!
Feel free to report any problems, bugs, suggestions and comments to
firewall-bugs@switch.ch.
You can get the latest version of the software from
ftp://ftp.switch.ch/software/sources/network/sf.
QUICK OVERVIEW
--------------
The sf packet filter & firewall is a free and easy way to protect your
network from the daily threats of the Internet. It does not guarantee
perfect security, however it comes with a wealth of features, including:
- filtering of all header fields in the IP,TCP,UDP,ICMP,IGMP packets
- intelligent RIP and FTP support
- easy to understand, text-based configuration
- dynamic rules, including counters and time-outs
- extensive logging, alerting, and counter intelligence
- prevention of packet and address spoofing
- GNU GPL license :-)
To install the software, you need a Linux 2.0.x based system. We suggest
you install a bare-bone system without X or any of the other nifty
features which tend to have security holes. You should not install user
accounts on the firewall system. Log-ins other than from the console
should be forbidden (if you absolutely have to log in remotely, we
strongly suggest you install a copy of ssh, http://www.cs.hut.fi/ssh).
Although the software has been subject to thorough testing, and has been
continuously running without crashes for over 12 months, we are confident
someone will eventually unconver A BUG in the software. Therefore, we
christened it "version 0.2.8".
Please do not use this software as the sole means to protect your top
secret data. The intended audience for this software includes
- people who want to study firewalls
- people who don't trust their current firewall
- and people who currently don't have any protection at all (even if
there are serious bugs, it cannot get worse, can it?)
If you have trouble installing or configuring the software despite the
comprehensive documentation, or if you seek advice in security related
issues, feel free to e-mail to firewall-bugs@switch.ch. However, please
understand we cannot provide consulting services for free.
BUG FIXES in version 0.2.8
==========================
- fixed minor errors in documentation and sample configuration files
- accept netmask 255.255.255.255
- eliminated generation of "THIS SHOULD NEVER HAPPEN" log message
NEW FEATURES in version 0.2.8
=============================
- permit 'call' statements in notification levels
- added 'destport' in LET statements
(let attackport:sourcehost := destport ...)
- added 'reject with best' / 'reject with tcp_reset' (equivalent)
sends TCP reset packet if TCP packet received
ICMP port unreachable packet if UDP received
ICMP host unreachable packet else
- added 'reject with echo_reply' sends echo reply on echo request
(use to answer pings)
- print ICMP type in log file
- added 'report' flag to notification - writes data to
/var/log/firewall.report
- provide up-to-date /etc/services file, more sample configs
and a log view tool
CHANGES in version 0.2.8
========================
- merged Linux 1.3.x patches
from Andi Kleen <andi@mlm.extern.lrz-muenchen.de>
fixed a few glitches and modified for 2.0.x kernel
- switched to Linux file system standard
- updated installation instructions for Linux 2.0.x
- changed Makefile to optionally use bison/flex instead of yacc/lex,
added make install
- switched to configure (GNU Autoconfig)
- 'sfc show' omits mask if mask is 255.255.255.255
- updated IP protocol names (RFC 1700 obsoletes RFC 1340, IANA ftp server)
- moved sfc to /usr/local/sbin
- strip symbols of modules
- --
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBMnybS4QRll5MupLRAQHWGQQAk7N7exhDJxMp0sE9PVcKMBbDZfw8Rz8G
fvs13ZSCoUZFvAkyCcL57JHtkKcA7DOrvQkfWP7Sd4B1wFuWuTPr8VordjJ2B455
6gxz3zuBzfR3ReM7wor2L1K0PnHbJOn+dKVxroAVKZpNDVOX1a0jFpnx0zmlwF+A
lnjM/rZ2PjQ=
=REKM
-----END PGP SIGNATURE-----
--
This article has been digitally signed by the moderator, using PGP.
http://www.iki.fi/liw/lars-public-key.asc has PGP key for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember a short description of the software and the LOCATION.
This group is archived at http://www.iki.fi/liw/linux/cola.html