[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] Proxy Firewalls (was FWTK vs T.REX)
From: ark () eltex ! ru
Date: 2003-01-31 15:40:53
[Download RAW message or body]
nuqneH,
On Fri, Jan 31, 2003 at 03:30:08PM +0100, Illes Marton wrote:
> > Statistics, monitoring, QoS control, granular protocol inspection,
> > content filtering and more..
> I beleive QoS is fine if you use the kernel's builtin QoS.
> Contentfiltering and protocol inspection is the task of the appl. proxy.
Who says QoS kernel should be on the firewall box? I mean DSCP marking so
routers may take care of that thing.
> I think a good final solution would use an appropiate packet
> filter, and good appl. proxy.
>
> The best of the bread way looks good in some manner, but you shold
> consider, that different applications have different quality. With the
> single kit you can acceppt same quality. I prefer using, if possible one
> kit at the same time. BTW: I use Zorp. :)
>
> If you are looking for open/free _working_ firewall kit, than you can have
> FWTK, T.REX, Zorp. (Don't count socks based ones.)
>
> The Zorp GPL tries to provide a working, modern solution for your needs,
> which used to be FWTK.
>
> We can agree that FWTK is a bit obsolate, and there isn't any group
> maintaining it.
Who says? We do. API is completely different but there are compatibility hooks
that allow any fwtk-compatible proxy to build and run, though it will not
use Generation 2 API advantages like seeing what happens just when you
type "ps", QoS support i noted and other fancy things.
> T.REX is a collection of proxyes, offten with poor quality
> implementations.
I agree.
>
> > > FWTK I use now
> > > ftp-gw FTP w/pasv origin only, squid for readonly
> >
> > still looking for suitable replacement, will probably rewrite
> Zorp has a builtin FTP proxy. Supporting passv, active connections.
>
> >
> > > http-gw squid, chrooted on a separate box
> >
> > what about html filtering? squid-gw is the way.
> HTTP proxy, able to do content filtering, and many more tricks.
>
> > > plug-gw ssltunnel, plug-gw
> >
> > sslified plug-gw
> We have plug proxy, and ssl proxy (capable to stack other proxy in) So you
> can run HTTPS, with HTTP level content filtering :) Nice feature.
Yep, we don't do MITM ssl yet. But we plan someday. There are certificate
management issues..
> Plug proxy is able to handle not just tcp, but udp as well. It's able to
> handle udp one side, tcp other side traffic.
Trivial to implement, but i've never seen protocols that can work this way ;)
> > > dns bind, chrooted (finally)
> Seams reasonable. Personly I don't like djbdns.
Why? djbdns as name server may be PITA but dnscache is just fine.
> > pop3, nntp, cvs, rsh, lpd, tds etc proxies?
> Zorp has in addition: finger, whois (the two most important one :)),
We have those too.
> telnet.
>
> The commercial version has
> more(pop3,imap,nntp,lpd,radius,tftp,sqlnet,etc.)
>
>
> You can download zorp source or binary (debian/woody i386) from
> www.balabit.hu, or you can find it in debian/sid
I know. Actually i find Zorp to be excellent thing, i just chose a bit
different way we like more ;-).
--
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic