checkpoint on freebsd - BSD

This is a discussion on checkpoint on freebsd - BSD ; Hi, As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall is based on freebsd (if I m correct), is that mean CP has a version based on FreeBSD? thanks S...

+ Reply to Thread
Results 1 to 11 of 11

Thread: checkpoint on freebsd

  1. checkpoint on freebsd

    Hi,

    As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    is based on freebsd (if I m correct), is that mean CP has a version
    based on FreeBSD?

    thanks
    S

  2. Re: checkpoint on freebsd

    In , on Sun, 03 Dec 2006
    03:36:16 GMT, Pet wrote:

    > As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    > is based on freebsd (if I m correct), is that mean CP has a version
    > based on FreeBSD?


    No idea, but the handbook should shed some light.
    http://www.freebsd.org/doc/en_US.ISO...int/index.html

  3. Re: checkpoint on freebsd

    Pet wrote:
    > Hi,
    >
    > As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    > is based on freebsd (if I m correct), is that mean CP has a version
    > based on FreeBSD?


    Yes, but it only works for the Nokia firewall OS (called IPSO). The
    checkpoint firewall won't run on stock standard FreeBSD.

  4. Re: checkpoint on freebsd

    Isn't the PF being part of the base system not enough? Why do I have to
    pay big bucks for CheckPoint FW when I can get a better yet free
    alternative to it?

    > Max Haus wrote:
    > Pet wrote:
    > > Hi,
    > >
    > > As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    > > is based on freebsd (if I m correct), is that mean CP has a version
    > > based on FreeBSD?

    >
    > Yes, but it only works for the Nokia firewall OS (called IPSO). The
    > checkpoint firewall won't run on stock standard FreeBSD.



  5. Re: checkpoint on freebsd

    In article ,
    Pet wrote:
    >Hi,
    >
    >As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    >is based on freebsd (if I m correct), is that mean CP has a version
    >based on FreeBSD?


    No, CP is Linux based. Yes, while IPSO, the underlying OS on Nokia
    is based on FreeBSD it's deviated quite a bit. I tried developing
    some code awhile back and needed to use custom libs and the like.

    Maybe you could run CP as a Linux emulation, but I dumped all
    my CP firewalls (28 of 'em) for Juniper Netscreens the last year.
    Just waaay too may issues with CP, and terrible support. Nokia
    was better but it's still CP. And expensive.

    -alan

  6. Re: checkpoint on freebsd

    Alan Strassberg wrote:
    > In article ,
    > Pet wrote:
    >> Hi,
    >>
    >> As checkpoint firewall can run on Nokia firewall OS, and Nokia firewall
    >> is based on freebsd (if I m correct), is that mean CP has a version
    >> based on FreeBSD?

    >
    > No, CP is Linux based. Yes, while IPSO, the underlying OS on Nokia
    > is based on FreeBSD it's deviated quite a bit. I tried developing
    > some code awhile back and needed to use custom libs and the like.
    >
    > Maybe you could run CP as a Linux emulation,


    No, that wont work since part of the CP implementation uses a kernel
    loadable module.

  7. Re: checkpoint on freebsd

    >>>>> "Demuel" == Demuel I Bendano, EE writes:

    Demuel> Isn't the PF being part of the base system not enough? Why
    Demuel> do I have to pay big bucks for CheckPoint FW when I can
    Demuel> get a better yet free alternative to it?

    PF lacks many of the more advanced state tracking features found in
    Firewall-1, such as transparent proxy support for FTP and H.323
    through the firewall/NAT. It also includes a suite of management,
    logging, and reporting tools that are missing from the standard PF
    distribution. Of course, third-party tools like Firewall Builder help
    with PF policy management, and you can cobble together your own
    reporting and centralized logging given sufficient time and
    motivation.

    PF is nice and all, but it can really get in the way of getting stuff
    done. For example, last I checked, you cannot set up an FTP server
    behind a PF NAT/firewall. The FTP server must run on the firewall
    itself, unless a suitable user-space proxy now exists that lets one
    NAT incoming FTP control and data connections to an FTP server behind
    the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
    and SIP support are another support problem. (There's a SIP proxy,
    but it doesn't work transparently.)

    Best wishes,
    Matthew

    --
    Every time Bruce Schneier smiles, an amateur cryptographer dies.
    (http://geekz.co.uk/schneierfacts/fact/55)

  8. Re: checkpoint on freebsd

    Matthew X. Economou wrote:
    >>>>>> "Demuel" == Demuel I Bendano, EE writes:

    >
    > Demuel> Isn't the PF being part of the base system not enough? Why
    > Demuel> do I have to pay big bucks for CheckPoint FW when I can
    > Demuel> get a better yet free alternative to it?
    >
    > PF lacks many of the more advanced state tracking features found in
    > Firewall-1, such as transparent proxy support for FTP and H.323
    > through the firewall/NAT. It also includes a suite of management,
    > logging, and reporting tools that are missing from the standard PF
    > distribution. Of course, third-party tools like Firewall Builder help
    > with PF policy management, and you can cobble together your own
    > reporting and centralized logging given sufficient time and
    > motivation.
    >
    > PF is nice and all, but it can really get in the way of getting stuff
    > done. For example, last I checked, you cannot set up an FTP server
    > behind a PF NAT/firewall. The FTP server must run on the firewall
    > itself, unless a suitable user-space proxy now exists that lets one
    > NAT incoming FTP control and data connections to an FTP server behind
    > the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
    > and SIP support are another support problem. (There's a SIP proxy,
    > but it doesn't work transparently.)
    >
    > Best wishes,
    > Matthew
    >

    I m going to drop PF but keep its CARP.

  9. Re: checkpoint on freebsd


    Matthew X. Economou wrote:
    > >>>>> "Demuel" == Demuel I Bendano, EE writes:

    >
    > Demuel> Isn't the PF being part of the base system not enough? Why
    > Demuel> do I have to pay big bucks for CheckPoint FW when I can
    > Demuel> get a better yet free alternative to it?
    >
    > PF lacks many of the more advanced state tracking features found in
    > Firewall-1, such as transparent proxy support for FTP and H.323
    > through the firewall/NAT. It also includes a suite of management,
    > logging, and reporting tools that are missing from the standard PF
    > distribution. Of course, third-party tools like Firewall Builder help
    > with PF policy management, and you can cobble together your own
    > reporting and centralized logging given sufficient time and
    > motivation.
    >
    > PF is nice and all, but it can really get in the way of getting stuff
    > done. For example, last I checked, you cannot set up an FTP server
    > behind a PF NAT/firewall. The FTP server must run on the firewall
    > itself, unless a suitable user-space proxy now exists that lets one
    > NAT incoming FTP control and data connections to an FTP server behind
    > the NAT (neither Frox nor ftp-proxy seemed capable of this). H.323
    > and SIP support are another support problem. (There's a SIP proxy,
    > but it doesn't work transparently.)
    >
    > Best wishes,
    > Matthew
    >
    > --
    > Every time Bruce Schneier smiles, an amateur cryptographer dies.
    > (http://geekz.co.uk/schneierfacts/fact/55)


    Do u mean something like one to one IP mapping that already exists ?

    I set this up some time ago using IP aliasing on my WAN NIC.


  10. Re: checkpoint on freebsd

    >>>>> "Brent" == Brent Bolin writes:

    Brent> Do u mean something like one to one IP mapping that already
    Brent> exists ?

    Brent> I set this up some time ago using IP aliasing on my WAN
    Brent> NIC.

    To what in my post were you referring? If it was about H.323 or SIP
    through NAT, yes, one-to-one static NAT mappings may work *if* the
    H.323 or SIP client is NAT-aware. This isn't always the case,
    especially with legacy codecs.

    Best wishes,
    Matthew

    --
    Every time Bruce Schneier smiles, an amateur cryptographer dies.
    (http://geekz.co.uk/schneierfacts/fact/55)

  11. Re: checkpoint on freebsd

    >>>>> "Pet" == Pet Farrari writes:

    Pet> I m going to drop PF but keep its CARP.

    CARP and pfsync are very cool. One of these days, I'll set up a
    second firewall so I can play with hot fail-over in PF.

    Best wishes,
    Matthew

    --
    Every time Bruce Schneier smiles, an amateur cryptographer dies.
    (http://geekz.co.uk/schneierfacts/fact/55)

+ Reply to Thread