RE: OpenBSD Firewalls?

["David Crawshaw" <david@zentus.com>]

I'd assume he's talking about an application firewall as one that does
application filtering. Like FWTK www.fwtk.org, a set of proxies that make
sure only what is meant to go out through the firewall is allowed.

So for instance, if people are allowed to make outgoing Telnet connections
from your network, that a Trojan doesn't use it for other purposes.

Packet Filters, even stateful ones are never enough. Unfortunately,
application firewalls are very hard to set up.

I'm at the moment trying to implement a totally transparent set of outgoing
proxies for my users with NAT, and some transparent reverse proxies so I can
run some web/mail servers, and Split DNS to do proper mail forwarding with
QMail.

I jumped into this without realizing how big a project it is. But, you've
got to do what you've got to do, on the shoe string you have. :-)

----
David Crawshaw
www.neuronforge.com


> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
> Marco S Hyman
> Sent: Monday, January 15, 2001 5:42 PM
> To: Brent Reich
> Cc: Chuck Yerkes; misc@openbsd.org
> Subject: Re: OpenBSD Firewalls?
>
>
> Brent Reich writes:
>  > cost-effective firewall. preferably on one box. ipfilter seems to be a
>  > excellent starting point, especially if clients can work in a scenario
>  > where we can deny all in. however this is rarely the case.
> Once we start
>  > opening holes in the firewall a packet filter starts to lose its
>  > potency. what i was looking for is an opensource  application firewall
>
> Excuse my ignorance.   Please define the functional difference between
> what you call a "packet filter" and what you call an "application
> firewall".
> Also, in what way does a "packet filter" lose potency?
>
> // marc
>
>