SUMMARY: ip filter & screenlite

From: Martynas Buozis <>
Date: Thu Jan 16 2003 - 03:52:55 EST

Thanks to Alex Stade, Ahau K'in, Anders Nordby, Qv6, Ido, Tim Worth and 
Tony Urban for answers about IP filter and screenlite. Also thanks to 
Andrew, who suggested to look at - probably I will try to 
check this also.

Here I am posting responses (with IP filter winning 100%) :

 > IP Filter is way easier to deal with than SunScreen. However,
 > SunScreen has a much more rich set of proxies. If you want a
 > full-fledged firewall, you may want SunScreen. If you just want to
 > block traffic to certain ports or whatever, IP Filter is for you.

 > For many years I've been using IPF on Suns and BSD x86 machiens.
 > Overall  I've found ti t to be excellent, 100% reliable and not too
 > hard to configure when you get the hang of it... and if you're already
 > a happy unix admin then you'll have no trouble.

 > Sunscreen is a touch easier to configure and can operate in
 > ful-failover mode, features that IPF doesn't have. But in every other
 > respect it sucks. It's used here in a production DMZ and has been the
 > most frequent point of failure -- even in failover mode-- we've had
 > for the last year and a half. We're replacing it any day now with a
 > decent solution. avoid avoid avoid.

 > MHO, with regards to ease of configuration, ipfilter beats Sunscreen
 > Lite handily, but you can configure Sunscreen from gui and cli. I do
 > not know of any gui frontend for ipfilter.
 > Although Sunscreen Lite is free, it is still a lite version. On the
 > other hand, ipfilter is completely free and has all the features you
 > need to protect any network or host.
 > If you're looking for simplicity and ease of management, I would
 > recommend ipfilter over SunScreen 3.1 lite.  While SunScreen 3.1 lite
 > is an excellent product, configuring it is not a simple task.  Hope
 > that helps.

 > SunScreen Lite is crippled version of SunScreen, allows a limited
 > number of interfaces (2 routing), doesn't support stealth mode
 > (bridge), will only allow a limitled number of NAT rules, doesn't
 > support any of the SunScreen proxy features and a few other items that
 > you probably won'tneed anyway.
 > What I like about SunScreen is that it uses a browser as the admin
 > interface and I find it fairly easy to configure and use. It is pretty
 > much like any stateful commercial firewall product. The documentation
 > on or in the (I believe) .pdf files that are included
 > with the SunScreenLite download. It also includes SKIP so you can
 > configure the machine to be admined remotely via a VPN if you so
 > choose.
 > IPFilter is a good product, easy to install and the NAT configuration
 > is stright forward, the firewall rules are not as stright forward
 > though. First it uses a last match wins method to select the rule to
 > use. What I mean is most firewalls (sunscreen for instance) will use
 > the first rule that matches based on source, destination, service etc.
 > IPFilter will note that it macthed the rule but will continue to read
 > rules, if it matches another rule the that one gets cached and it
 > continues to read rules until finished or aonther match. That is the
 > default way it works, of course you can configure around this and most
 > do, you can have a "pass" rule that will mean if this rule matches do
 > it, you also have to tell it to do statefull connections as it is not
 > the default.
 > If you have time to learn the IPFilter product and are willing to read
 > the documentation (or take the SC-345 class) it is a good product and
 > while I think the learning curve is a little steeper than SunScreen
 > you will have a learning curve with both products. If you have used
 > other commercial firewall products like CheckPoint etc then SunScreen
 > will not be that hard to pick up.
 > I would probably use Solaris 9 and SunScreen 3.2 if possible. If you
 > know that SunScreen Lite has everything you need, (two interfaces for
 > the firewall is the primary and minimal NAT) and you have used a
 > Firewall product before, I would use it, I use it here at my home. I
 > would use SunScreen before IPFilter but I think once you understand
 > IPFilter it is a good product and is is secure.

With best regards

Martynas Buozis            Texas Instruments Deutschland GmbH
Mail:     Haggertystrasse 1
Phone: +49 8161 80 4506    85356 Freising
Fax:   +49 8161 80 3191    Germany
sunmanagers mailing list
Received on Thu Jan 16 03:55:28 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:01 EST