I'm Rajesh P.G. , a computer science student at Regional Engineering
College - Calicut, Kerala State, India. As a classroom project, I'm
implementing a 'Packet Filter Firewall'.
Initially, I had worked on the idea of doing this project on one of our
machines running Solaris. I realised later that,to get the firewall running
will require modifications to the kernel source handling IP packets.
( I don't have Solaris kernel source code, so I switched on to Linux ).
In one of the replies, Mike Jones mentioned that, FireWall-1 that
works on Solaris, installs a module "which is in the path the IP packets
go through ". I guess that, it'll require access to the kernel source to
incorporate such modules. Could someone please tell me if there are other
alternatives to install the concerned module.
Thanks in advance,
Email : rajesh @
~~~~~~~~~~~~~~~ Original Message ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Mike Jones <mike .
To: Pedro Salgueiro <psalgueiro @
CC: "'Mike Jones'" <newman!jonesmd @
"'firewalls'" <firewalls @
Subject: Re: PIX and Firewall-1
Pedro Salgueiro wrote:
> I've been "watching" the discussion regarding the differences between packet-filtering and application level firewalls. I believe that there are some:
> 1 - Packet filtering firewalls are more difficult to manage (It is very simple to mis-configure => less secure).
> It may be very complicated establishing rules.
I would dispute this, as least as regards FireWall-1. My experience and
all the reviews I've seen agree that it's very easy to manage. Now it's
certainly the case that something that's easy to configure is easy to
MISconfigure, but I don't think there's a firewall in the world that can
make up for an admin who doesn't know what he's doing.
> 2 - Packet filter systems are always routing packets (so "fail-open" may occur). A well known contructor firewall crashed with a ping attack and routed all the packets from the insecure network to the secure one.
I'd be *very* interested in knowing whose firewall that was. I also
think this is necessarily the case. For example, FireWall-1 (which is
firewall I'm most familiar with) works on Solaris by installing a kernel
module which is in the path that IP packets go through. I have a hard
seeing how it could "fail open" in that configuration, though I'd admit
that it's theoretically possible.
> 3 - If you are using a packet filter system and you provide SMTP, HTTP, etc. you cannot control what the users do with those protocols,i.e., you open or close a port. Application level firewalls provide secure daemons of those protocols.
This is an advantage of applications level firewalls. However, there are
reasons other than security (caching and spam filtering, for example) to
have proxies in place, and I actually prefer an architecture where the
security functions, whether proxy or filter based, are separated from
> From: Mike Jones