Hi,
As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
is based on freebsd (if I m correct), is that mean CP has a version
based on FreeBSD?
thanks
S
Printable View
Hi,
As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
is based on freebsd (if I m correct), is that mean CP has a version
based on FreeBSD?
thanks
S
In <QCrch.1659$HU.405@news-server.bigpond.net.au>, on Sun, 03 Dec 2006
03:36:16 GMT, Pet wrote:
[color=blue]
> As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
> is based on freebsd (if I m correct), is that mean CP has a version
> based on FreeBSD?[/color]
No idea, but the handbook should shed some light.
[url]http://www.freebsd.org/doc/en_US.ISO8859-1/articles/checkpoint/index.html[/url]
Pet wrote:[color=blue]
> Hi,
>
> As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
> is based on freebsd (if I m correct), is that mean CP has a version
> based on FreeBSD?[/color]
Yes, but it only works for the Nokia firewall OS (called IPSO). The
checkpoint firewall won't run on stock standard FreeBSD.
Isn't the PF being part of the base system not enough? Why do I have to
pay big bucks for CheckPoint FW when I can get a better yet free
alternative to it?
[color=blue]
> Max Haus wrote:
> Pet wrote:[color=green]
> > Hi,
> >
> > As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
> > is based on freebsd (if I m correct), is that mean CP has a version
> > based on FreeBSD?[/color]
>
> Yes, but it only works for the Nokia firewall OS (called IPSO). The
> checkpoint firewall won't run on stock standard FreeBSD.[/color]
In article <QCrch.1659$HU.405@news-server.bigpond.net.au>,
Pet <fwun@bigpond.net.au> wrote:[color=blue]
>Hi,
>
>As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
>is based on freebsd (if I m correct), is that mean CP has a version
>based on FreeBSD?[/color]
No, CP is Linux based. Yes, while IPSO, the underlying OS on Nokia
is based on FreeBSD it's deviated quite a bit. I tried developing
some code awhile back and needed to use custom libs and the like.
Maybe you could run CP as a Linux emulation, but I dumped all
my CP firewalls (28 of 'em) for Juniper Netscreens the last year.
Just waaay too may issues with CP, and terrible support. Nokia
was better but it's still CP. And expensive.
-alan
Alan Strassberg wrote:[color=blue]
> In article <QCrch.1659$HU.405@news-server.bigpond.net.au>,
> Pet <fwun@bigpond.net.au> wrote:[color=green]
>> Hi,
>>
>> As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
>> is based on freebsd (if I m correct), is that mean CP has a version
>> based on FreeBSD?[/color]
>
> No, CP is Linux based. Yes, while IPSO, the underlying OS on Nokia
> is based on FreeBSD it's deviated quite a bit. I tried developing
> some code awhile back and needed to use custom libs and the like.
>
> Maybe you could run CP as a Linux emulation,[/color]
No, that wont work since part of the CP implementation uses a kernel
loadable module.
>>>>> "Demuel" == Demuel I Bendano, EE <demuel@msumain.edu.ph> writes:
Demuel> Isn't the PF being part of the base system not enough? Why
Demuel> do I have to pay big bucks for CheckPoint FW when I can
Demuel> get a better yet free alternative to it?
PF lacks many of the more advanced state tracking features found in
Firewall-1, such as transparent proxy support for FTP and H.323
through the firewall/NAT. It also includes a suite of management,
logging, and reporting tools that are missing from the standard PF
distribution. Of course, third-party tools like Firewall Builder help
with PF policy management, and you can cobble together your own
reporting and centralized logging given sufficient time and
motivation.
PF is nice and all, but it can really get in the way of getting stuff
done. For example, last I checked, you cannot set up an FTP server
behind a PF NAT/firewall. The FTP server must run on the firewall
itself, unless a suitable user-space proxy now exists that lets one
NAT incoming FTP control and data connections to an FTP server behind
the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
and SIP support are another support problem. (There's a SIP proxy,
but it doesn't work transparently.)
Best wishes,
Matthew
--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
([url]http://geekz.co.uk/schneierfacts/fact/55[/url])
Matthew X. Economou wrote:[color=blue][color=green][color=darkred]
>>>>>> "Demuel" == Demuel I Bendano, EE <demuel@msumain.edu.ph> writes:[/color][/color]
>
> Demuel> Isn't the PF being part of the base system not enough? Why
> Demuel> do I have to pay big bucks for CheckPoint FW when I can
> Demuel> get a better yet free alternative to it?
>
> PF lacks many of the more advanced state tracking features found in
> Firewall-1, such as transparent proxy support for FTP and H.323
> through the firewall/NAT. It also includes a suite of management,
> logging, and reporting tools that are missing from the standard PF
> distribution. Of course, third-party tools like Firewall Builder help
> with PF policy management, and you can cobble together your own
> reporting and centralized logging given sufficient time and
> motivation.
>
> PF is nice and all, but it can really get in the way of getting stuff
> done. For example, last I checked, you cannot set up an FTP server
> behind a PF NAT/firewall. The FTP server must run on the firewall
> itself, unless a suitable user-space proxy now exists that lets one
> NAT incoming FTP control and data connections to an FTP server behind
> the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
> and SIP support are another support problem. (There's a SIP proxy,
> but it doesn't work transparently.)
>
> Best wishes,
> Matthew
>[/color]
I m going to drop PF but keep its CARP.
Matthew X. Economou wrote:[color=blue][color=green][color=darkred]
> >>>>> "Demuel" == Demuel I Bendano, EE <demuel@msumain.edu.ph> writes:[/color][/color]
>
> Demuel> Isn't the PF being part of the base system not enough? Why
> Demuel> do I have to pay big bucks for CheckPoint FW when I can
> Demuel> get a better yet free alternative to it?
>
> PF lacks many of the more advanced state tracking features found in
> Firewall-1, such as transparent proxy support for FTP and H.323
> through the firewall/NAT. It also includes a suite of management,
> logging, and reporting tools that are missing from the standard PF
> distribution. Of course, third-party tools like Firewall Builder help
> with PF policy management, and you can cobble together your own
> reporting and centralized logging given sufficient time and
> motivation.
>
> PF is nice and all, but it can really get in the way of getting stuff
> done. For example, last I checked, you cannot set up an FTP server
> behind a PF NAT/firewall. The FTP server must run on the firewall
> itself, unless a suitable user-space proxy now exists that lets one
> NAT incoming FTP control and data connections to an FTP server behind
> the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
> and SIP support are another support problem. (There's a SIP proxy,
> but it doesn't work transparently.)
>
> Best wishes,
> Matthew
>
> --
> Every time Bruce Schneier smiles, an amateur cryptographer dies.
> ([url]http://geekz.co.uk/schneierfacts/fact/55[/url])[/color]
Do u mean something like one to one IP mapping that already exists ?
I set this up some time ago using IP aliasing on my WAN NIC.
>>>>> "Brent" == Brent Bolin <brent.bolin@gmail.com> writes:
Brent> Do u mean something like one to one IP mapping that already
Brent> exists ?
Brent> I set this up some time ago using IP aliasing on my WAN
Brent> NIC.
To what in my post were you referring? If it was about H.323 or SIP
through NAT, yes, one-to-one static NAT mappings may work *if* the
H.323 or SIP client is NAT-aware. This isn't always the case,
especially with legacy codecs.
Best wishes,
Matthew
--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
([url]http://geekz.co.uk/schneierfacts/fact/55[/url])
>>>>> "Pet" == Pet Farrari <pf@auth.net.au> writes:
Pet> I m going to drop PF but keep its CARP.
CARP and pfsync are very cool. One of these days, I'll set up a
second firewall so I can play with hot fail-over in PF.
Best wishes,
Matthew
--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
([url]http://geekz.co.uk/schneierfacts/fact/55[/url])