Re: OpenBSD Firewalls?

[Chuck Yerkes <chuck@snew.com>]

Let's get some terms out (see cheswick and bellovin's fine book).

Filtering:  something like cisco and ipfilters ability to stop
            or allow packets based on header information. kernel level.
Stateful filter - something that remembers the sets of addresses
        associated with a "session" (even faking a UDP session).
        So a Syn/Ack exchange for ssh will allow future packets
        back in through the firewall (see Stevens' TCP books for more)
Proxy:  (or application level proxy). A userland program that acts
        as a proxy for the data passing through - ie fwtk or it's
        many alternatives.  These can often look into the protocol
        to block "bad things" - like buffer overruns, etc. Also
        can stop things like FTP PUT commands.

An application firewall to me says "checkpoint" - an application
that's a firewall.

Networking is complex.  You can't get around it.  My issue with GUI
based firewalls is that I've cleaned up too many that had someone
without enough Clue configuring them.  My basic take is that if
don't have enough experience to run vi (fairly junior), you don't
have enough experience to setup a firewall (fairly advanced).

Quoting Marco S Hyman (marc@snafu.org):
> Brent Reich writes:
>  > cost-effective firewall. preferably on one box. ipfilter seems to be a
>  > excellent starting point, especially if clients can work in a scenario
>  > where we can deny all in. however this is rarely the case. Once we start
>  > opening holes in the firewall a packet filter starts to lose its
>  > potency. what i was looking for is an opensource  application firewall
> 
> Excuse my ignorance.   Please define the functional difference between
> what you call a "packet filter" and what you call an "application firewall".
> Also, in what way does a "packet filter" lose potency?
> 
> // marc