Re^8: How to implement a fourth protocol

It occurred to me that a real firewall isn't implemented in the O/S at all in the way you are talking about and that until now, unless I am wrong again, what we have been talking about is personal firewalls. It doesn't seem to me to be a good idea to run that type of firewall on anything larger scale to the extent that it would attract DOS attacks, but rather that the firewall should be implemented as separate hardware specialised enough to perform well at the right networking level.

I imagine that it could still read IP tables from a machine that does run application servers however.

-M

Free your mind

Comment on Re^8: How to implement a fourth protocol

Replies are listed 'Best First'.
OT: Re^9: How to implement a fourth protocol by tirwhan (Abbot) on Apr 02, 2007 at 14:02 UTC
Again, that's because you appear to not know firewalling and you should read up on the topic. All major UNIXes and derivatives (Solaris,Linux,the BSDs,OS X) implement the firewall as a kernel subsystem for the very reason of performance. You are correct that there are vendors which will sell you firewalls as specialized boxes which either run a derived version of said OSes or implement their own OS (more often than not far inferior, see Cisco OS for example). Except for the extreme high end these just contain PC hardware though, the main difference between them and a standard server designed for fast network performance and running a general-purpose OS is just the fancy box and the price-tag. The term "Personal Firewalls" is from the Windows world and indeed does refer to the toy firewalls implemented as Windows userland programs AFAIK. I believe though that even newer Windows versions implement their firewall at a kernel level (not sure, haven't touched that OS in years). I didn't think you were talking about running a firewall as a separate box, because in that scenario it is even more obvious that you should block the DOS at the entry point to your network. Otherwise you'd be letting the DOS traffic add load to your internal network traffic as well as the external connection. Also, a dedicated firewall (regardless whether consisting of so-called specialised hardware or a standard UNIX box) will most certainly be much more effective at blocking unwanted traffic than userland programs running on an application server. That's what it's there and designed for after all. I imagine that it could still read IP tables from a machine that does run application servers however. Hmm, don't understand this sentence, what do you mean by "IP tables"? Do you mean the Linux iptables firewall? Marked OT because these are firewall arcana, not Perl All dogma is stupid.	[reply] [d/l]
Re: OT: Re^9: How to implement a fourth protocol by Moron (Curate) on Apr 02, 2007 at 15:33 UTC
I think you are saying dedicated firewalls can and should (?) be implemented on unix boxes rather than on specialist networking hardware and I will look into that, thanks. re IP tables. I was vague because I have a number of ideas of where tables of IP addresses might have to be kept. The firewall can't (I imagine) detect the attack all on its own. So the application server has to keep records of activity against IP addresses and then tell the firewall (i.e. updating yet another table of IP addresses) to block some of them while maintaining others as "unresolved status" and others as formal client (probably more statuses than these to boot). For example, if a real (i.e. formal) customer has a DofS hacker in their midst, you might want to discuss it with them first rather than blocking the IP address and damaging business that might be worth more than a temporary performance hit while the issue is still being resolved. -M Free your mind	[reply]