[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] fwd is not running but everything works fine - why?
According to Lance Spitzner:
>
>
> On Tue, 12 Oct 1999, Ali, Mohammad wrote:
>
> > The script moves the logfiles to oldlog files and restarts the "fwd"
> > daemon. Yesterday, when the script ran
> > it failed to start the daemon. The strange thing is, everything is
> > working fine - all the traffic is passing with
> > xlation. Could some one explain why - I thought fwd is the process
> > that is responsible for firewalling.
>
> You have discovered one of the greatest misconsceptions of FW-1. The
> firewall daemon fwd does not do any firewall filtering or address
> translation. All of that is done by the kernel module. So, when you
> killed the fwd, inspection sill happened. This is one of the biggest
> things I stressed as SANS last week.
I don't wanna start a religious war about pros and cons of
miscellaneous firewall architectures here. From my experiences CP's
design in general works very well, and I suppose it do be secure enough.
The kernel module handles the filtering in a fast and efficient way,
which outperforms every proxy based application in user space. The
entire control of the kernel module is done by the firewall daemon 'fwd'.
Imho the biggest weakness in FireWall-1 is caused by the buggy
software, sloppily written code, apparently a lack of quality
management for software and written documentation, and poor support
from CP partners.
Olaf
--
Olaf Selke, olaf.selke@mediaways.net, voice +49 5241 80-7069
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================