Differences between firewall-packages like FW-1 and packetfilter

[Andreas Pretzsch <andreas () pretzsch de>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi folks !

I looked at some firewall-packages like FW-1 and I just don't see THE
big difference to a packet filter like in Linux 2.2/2.3 combined
with some GUI and some logfile-parser.
Taking a closer look at the packet filter in later Linux 2.3.x (or to be
more precise, the interface to it, iptables),  I have the feeling this
packet filter includes everything you could do with ip-packets and the
typical protocols based on it. Same applies to the protocol-level-filters
avivable.
For me this raises two questions:

What advantages could I get from buying a tool like FW-1 instead of
using a glued-together solution based on iptables, a gui and a few
reporting-scripts ?

Is there anything FW-1 (or other packages like Gauntlet) could do for
me the upper solution can't ?

Let me make one restriction: I'm only talking about small and simple
firewalls, not the huge thing altavista might need ...

My typical scenario:
A small network with a few Win-boxes in it, perhaps a few unices
too. They should be connected to the internet, mostly with masquerading,
over a linux-box, which is often running a mailserver (qmail) too.
In some cases there a few more things on the linux-box, like an apache
or a squid.
None of these networks needs really high-level-protection, as they are
of a small local bicycle-seller or so.

A less typical scenario:
There is a DMZ with static IPs, routing a few systems (mostly NT-boxes
with proprietary software on it) to the net. All other things like
scenario 1.

Of course I'm using two physically different networks when possible,
but what could do a commercial firewall-package to me what I can't do
by hand ? I mean, beside the task of glueing things together ?


BTW, I looked at some scripts for building packet filters and at
some predefined rule sets, but every script I looked at kills the
one or other packet defeating this-and-this attack, but none is
complete, or even near to complete.
Isn't there something doing the right thing (tm) for a typical
scenario ? Why use a commercial packet if I have to do it by hand
even with such a product ?


Excuse my far-from-perfect english and thanks in advance !


- ---

Bye, Andreas Pretzsch                     email: andreas () pretzsch de

PGP fingerprint = 5C 98 05 A1 15 0A E5 72  4D 49 CA 2A EC CA 14 07


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv

iQCVAwUBORTOQiuLvwB3+S55AQFy0gP/WS4lamC4yutfsNNvbyC7WddnwnkRV0yS
upKfXSu2KUwlwYvI2dMWcHKY8pZZAANkOAU1Mb/EKHrbGE2onJR4+mQXQimieMW9
sV0mAzLq2MmgMo79figv8lgWpdgdQofZZyOLDaUboSFnC721nGpciPpHB6IXlcok
cVY9qOxBuF8=
=ixDW
-----END PGP SIGNATURE-----