Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.ececs.uc.edu!news.kei.com!newsfeed.internetmci.com!masternews.telia.net!newssrv.ita.tip.net!ubnsrv.unisource.ch!scsing.switch.ch!dino.active.ch!usenet From: mwiget@linux.mw.active.ch Newsgroups: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc Subject: Re: Free firewall? Followup-To: comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc Date: 14 Feb 1997 15:21:10 GMT Organization: HB9RWM, Marcel Wiget CH-5036 Oberentfelden Lines: 159 Message-ID: <5e1vt6$m39@dino.active.ch> References: <330333EF.48C8@usa.net> NNTP-Posting-Host: astp.mw.active.ch X-Newsreader: TIN [version 1.2 PL2] Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:159291 comp.os.linux.networking:68880 comp.unix.bsd.freebsd.misc:35692 Hi, : I'm looking into setting up a firewall for our network since we'll be : getting a dedicated connection to the Internet. Since my company is a : non-profit organization, we don't want to sink $10-$20K into something. : Is there any "free" firewall software out there that would run under : FreeBSD or Linux? And if so, does the "you get what you pay for" factor actually there is a pretty good Firewall solution running on Linux and developed by some people from ETH in Switzerland. I'm using it myself and it has a well structured filter definition language and supports dynamic filters. See the message below (from comp.os.linux.announce) - Marcel Subject: sf Firewall Software 0.2.8 released Followup-To: comp.os.linux.networking Date: Sun, 03 Nov 1996 13:18:19 GMT Organization: Dept. Informatik, Swiss Federal Institute of Technology Lines: 127 Approved: linux-announce@news.ornl.gov (Lars Wirzenius) Message-ID: <pgpmoose.199611031518.26697@liw.clinet.fi> Reply-To: firewall-bugs@switch.ch NNTP-Posting-Host: localhost X-Original-Date: 1 Nov 1996 13:02:14 GMT X-Auth: PGPMoose V1.1 PGP comp.os.linux.announce iQBVAwUBMnybnTiesvPHtqnBAQGQegH+Oq9DVK2Kj6wMg1JJMcv49Brrbpmh8CEZ Vo5cjgIfHun7iMjMafSwLviCgEZJtN1qucjlvRDUGXgjIHaqgY23Nw== =yedC -----BEGIN PGP SIGNED MESSAGE----- ---------------------------------------------------------------------- sf Firewall Software -- a TCP/IP packet filter for Linux Copyright (C) 1996 Robert Muchsel and Roland Schmid ---------------------------------------------------------------------- We have released version 0.2.8 of our sf Firewall Software. It has been updated for Linux 2.0.xx kernels. We also fixed some bugs and added new features (see changes summary below). The software is available from ftp://ftp.switch.ch/software/sources/network/sf/sf-0.2.8.tar.gz ---------------------------------------------------------------------- This is version 0.2.8 of the firewall software. It requires Linux 2.0.x and will not work with earlier kernel versions (there is a version which supports the 1.2.x kernels, please get sf-0.1.tar.gz). Documentation is supplied in Postscript (Letter size) and HTML format. Please read the installation section in the user's guide (user.htm) before trying to compile and install the software! Feel free to report any problems, bugs, suggestions and comments to firewall-bugs@switch.ch. You can get the latest version of the software from ftp://ftp.switch.ch/software/sources/network/sf. QUICK OVERVIEW -------------- The sf packet filter & firewall is a free and easy way to protect your network from the daily threats of the Internet. It does not guarantee perfect security, however it comes with a wealth of features, including: - filtering of all header fields in the IP,TCP,UDP,ICMP,IGMP packets - intelligent RIP and FTP support - easy to understand, text-based configuration - dynamic rules, including counters and time-outs - extensive logging, alerting, and counter intelligence - prevention of packet and address spoofing - GNU GPL license :-) To install the software, you need a Linux 2.0.x based system. We suggest you install a bare-bone system without X or any of the other nifty features which tend to have security holes. You should not install user accounts on the firewall system. Log-ins other than from the console should be forbidden (if you absolutely have to log in remotely, we strongly suggest you install a copy of ssh, http://www.cs.hut.fi/ssh). Although the software has been subject to thorough testing, and has been continuously running without crashes for over 12 months, we are confident someone will eventually unconver A BUG in the software. Therefore, we christened it "version 0.2.8". Please do not use this software as the sole means to protect your top secret data. The intended audience for this software includes - people who want to study firewalls - people who don't trust their current firewall - and people who currently don't have any protection at all (even if there are serious bugs, it cannot get worse, can it?) If you have trouble installing or configuring the software despite the comprehensive documentation, or if you seek advice in security related issues, feel free to e-mail to firewall-bugs@switch.ch. However, please understand we cannot provide consulting services for free. BUG FIXES in version 0.2.8 ========================== - fixed minor errors in documentation and sample configuration files - accept netmask 255.255.255.255 - eliminated generation of "THIS SHOULD NEVER HAPPEN" log message NEW FEATURES in version 0.2.8 ============================= - permit 'call' statements in notification levels - added 'destport' in LET statements (let attackport:sourcehost := destport ...) - added 'reject with best' / 'reject with tcp_reset' (equivalent) sends TCP reset packet if TCP packet received ICMP port unreachable packet if UDP received ICMP host unreachable packet else - added 'reject with echo_reply' sends echo reply on echo request (use to answer pings) - print ICMP type in log file - added 'report' flag to notification - writes data to /var/log/firewall.report - provide up-to-date /etc/services file, more sample configs and a log view tool CHANGES in version 0.2.8 ======================== - merged Linux 1.3.x patches from Andi Kleen <andi@mlm.extern.lrz-muenchen.de> fixed a few glitches and modified for 2.0.x kernel - switched to Linux file system standard - updated installation instructions for Linux 2.0.x - changed Makefile to optionally use bison/flex instead of yacc/lex, added make install - switched to configure (GNU Autoconfig) - 'sfc show' omits mask if mask is 255.255.255.255 - updated IP protocol names (RFC 1700 obsoletes RFC 1340, IANA ftp server) - moved sfc to /usr/local/sbin - strip symbols of modules - -- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMnybS4QRll5MupLRAQHWGQQAk7N7exhDJxMp0sE9PVcKMBbDZfw8Rz8G fvs13ZSCoUZFvAkyCcL57JHtkKcA7DOrvQkfWP7Sd4B1wFuWuTPr8VordjJ2B455 6gxz3zuBzfR3ReM7wor2L1K0PnHbJOn+dKVxroAVKZpNDVOX1a0jFpnx0zmlwF+A lnjM/rZ2PjQ= =REKM -----END PGP SIGNATURE----- -- This article has been digitally signed by the moderator, using PGP. http://www.iki.fi/liw/lars-public-key.asc has PGP key for validating signature. Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov PLEASE remember a short description of the software and the LOCATION. This group is archived at http://www.iki.fi/liw/linux/cola.html