*BSD News Article 89503


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!newsfeed.internetmci.com!masternews.telia.net!newssrv.ita.tip.net!ubnsrv.unisource.ch!scsing.switch.ch!dino.active.ch!usenet
From: mwiget@linux.mw.active.ch
Newsgroups: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc
Subject: Re: Free firewall?
Followup-To: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc
Date: 14 Feb 1997 15:21:10 GMT
Organization: HB9RWM, Marcel Wiget CH-5036 Oberentfelden
Lines: 159
Message-ID: <5e1vt6$m39@dino.active.ch>
References: <330333EF.48C8@usa.net>
NNTP-Posting-Host: astp.mw.active.ch
X-Newsreader: TIN [version 1.2 PL2]
Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:159291 comp.os.linux.networking:68880 comp.unix.bsd.freebsd.misc:35692

Hi,

: I'm looking into setting up a firewall for our network since we'll be
: getting a dedicated connection to the Internet.  Since my company is a
: non-profit organization, we don't want to sink $10-$20K into something.
: Is there any "free" firewall software out there that would run under
: FreeBSD or Linux?  And if so, does the "you get what you pay for" factor

actually there is a pretty good Firewall solution running on Linux and
developed by some people from ETH in Switzerland. I'm using it myself and
it has a well structured filter definition language and supports dynamic
filters.
See the message below (from comp.os.linux.announce)

- Marcel

Subject: sf Firewall Software 0.2.8 released
Followup-To: comp.os.linux.networking
Date: Sun, 03 Nov 1996 13:18:19 GMT
Organization: Dept. Informatik, Swiss Federal Institute of Technology
Lines: 127
Approved: linux-announce@news.ornl.gov (Lars Wirzenius)
Message-ID: <pgpmoose.199611031518.26697@liw.clinet.fi>
Reply-To: firewall-bugs@switch.ch
NNTP-Posting-Host: localhost
X-Original-Date: 1 Nov 1996 13:02:14 GMT
X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce
	iQBVAwUBMnybnTiesvPHtqnBAQGQegH+Oq9DVK2Kj6wMg1JJMcv49Brrbpmh8CEZ
	Vo5cjgIfHun7iMjMafSwLviCgEZJtN1qucjlvRDUGXgjIHaqgY23Nw==
	=yedC

-----BEGIN PGP SIGNED MESSAGE-----

    ----------------------------------------------------------------------
    sf Firewall Software -- a TCP/IP packet filter for Linux
    Copyright (C) 1996 Robert Muchsel and Roland Schmid
    ----------------------------------------------------------------------

    We have released version 0.2.8 of our sf Firewall Software. It has
    been updated for Linux 2.0.xx kernels. We also fixed some bugs and
    added new features (see changes summary below).

    The software is available from 
       ftp://ftp.switch.ch/software/sources/network/sf/sf-0.2.8.tar.gz

    ----------------------------------------------------------------------

    This is version 0.2.8 of the firewall software. It requires Linux 2.0.x 
    and will not work with earlier kernel versions (there is a version
    which supports the 1.2.x kernels, please get sf-0.1.tar.gz).

    Documentation is supplied in Postscript (Letter size) and HTML format. 
    Please read the installation section in the user's guide (user.htm)
    before trying to compile and install the software!

    Feel free to report any problems, bugs, suggestions and comments to
    firewall-bugs@switch.ch.

    You can get the latest version of the software from
    ftp://ftp.switch.ch/software/sources/network/sf.

    QUICK OVERVIEW 
    --------------

    The sf packet filter & firewall is a free and easy way to protect your
    network from the daily threats of the Internet. It does not guarantee 
    perfect security, however it comes with a wealth of features, including:
    - filtering of all header fields in the IP,TCP,UDP,ICMP,IGMP packets
    - intelligent RIP and FTP support
    - easy to understand, text-based configuration
    - dynamic rules, including counters and time-outs
    - extensive logging, alerting, and counter intelligence
    - prevention of packet and address spoofing
    - GNU GPL license :-)
    
    To install the software, you need a Linux 2.0.x based system. We suggest
    you install a bare-bone system without X or any of the other nifty 
    features which tend to have security holes. You should not install user
    accounts on the firewall system. Log-ins other than from the console
    should be forbidden (if you absolutely have to log in remotely, we 
    strongly suggest you install a copy of ssh, http://www.cs.hut.fi/ssh).

    Although the software has been subject to thorough testing, and has been
    continuously running without crashes for over 12 months, we are confident
    someone will eventually unconver A BUG in the software. Therefore, we
    christened it "version 0.2.8".

    Please do not use this software as the sole means to protect your top
    secret data. The intended audience for this software includes
    - people who want to study firewalls
    - people who don't trust their current firewall
    - and people who currently don't have any protection at all (even if 
      there are serious bugs, it cannot get worse, can it?)

    If you have trouble installing or configuring the software despite the 
    comprehensive documentation, or if you seek advice in security related
    issues, feel free to e-mail to firewall-bugs@switch.ch. However, please
    understand we cannot provide consulting services for free.


    BUG FIXES in version 0.2.8
    ==========================
    - fixed minor errors in documentation and sample configuration files
    - accept netmask 255.255.255.255
    - eliminated generation of "THIS SHOULD NEVER HAPPEN" log message

    NEW FEATURES in version 0.2.8
    =============================
    - permit 'call' statements in notification levels
    - added 'destport' in LET statements 
      (let attackport:sourcehost := destport ...)
    - added 'reject with best' / 'reject with tcp_reset' (equivalent)
      sends TCP reset packet if TCP packet received
            ICMP port unreachable packet if UDP received
            ICMP host unreachable packet else 
    - added 'reject with echo_reply' sends echo reply on echo request
      (use to answer pings)
    - print ICMP type in log file
    - added 'report' flag to notification - writes data to 
      /var/log/firewall.report
    - provide up-to-date /etc/services file, more sample configs 
      and a log view tool

    CHANGES in version 0.2.8
    ========================
    - merged Linux 1.3.x patches 
      from Andi Kleen <andi@mlm.extern.lrz-muenchen.de> 
      fixed a few glitches and modified for 2.0.x kernel
    - switched to Linux file system standard
    - updated installation instructions for Linux 2.0.x
    - changed Makefile to optionally use bison/flex instead of yacc/lex, 
      added make install
    - switched to configure (GNU Autoconfig)
    - 'sfc show' omits mask if mask is 255.255.255.255
    - updated IP protocol names (RFC 1700 obsoletes RFC 1340, IANA ftp server)
    - moved sfc to /usr/local/sbin
    - strip symbols of modules


- --

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBMnybS4QRll5MupLRAQHWGQQAk7N7exhDJxMp0sE9PVcKMBbDZfw8Rz8G
fvs13ZSCoUZFvAkyCcL57JHtkKcA7DOrvQkfWP7Sd4B1wFuWuTPr8VordjJ2B455
6gxz3zuBzfR3ReM7wor2L1K0PnHbJOn+dKVxroAVKZpNDVOX1a0jFpnx0zmlwF+A
lnjM/rZ2PjQ=
=REKM
-----END PGP SIGNATURE-----

-- 
This article has been digitally signed by the moderator, using PGP.
http://www.iki.fi/liw/lars-public-key.asc has PGP key for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember a short description of the software and the LOCATION.
This group is archived at http://www.iki.fi/liw/linux/cola.html