IPTABLES vs IPCHAINS ????

Jeff Wiegley, Ph.D. jeff@ntcor.com
Wed, 09 May 2001 21:28:02 -0700 

Probably got hordes of responses by now...

I have been firewalling my office with ipchains
and iptables for the last year. (And we get *lots*
of intrusion attempts. Won't go into why but we
get a dozen or so port scans per day and we deny
connection attempts at a rate of about 3 per second.

We finally upgraded to iptables four weeks ago.

iptables *IS* ***WAY*** better then ipchains. And I
believe it is more than ready to be used in a
production server. The state matching abilities of
iptables alone makes it worth using instead of
ipchains.

With a state matching you can simply do two rules to
get a convenient yet pretty secure firewall...
rule 1) allow all outgoing traffic in the FORWARD rule
rule 2) allow ESTABLISHED and RELATED traffic coming in
        on the FORWARD rule.

And viola. you have a very effective firewall.

And I didn't even go into the SNAT or DNAT abilities
or the packet mangling stuff which I thinks holds
tons of promises for lots of other projects.

iptables is easier to learn than ipchains I think.
iptables seems to do things in a more correct or
intuitive fashion.  (such as routed packets go
only through the FORWARD chain and not through all
three INPUT, OUTPUT and FORWARD chains as they did
in ipchains.)

And here's my take on CheckPoint...

Its a fine product.
Its GUI is excellent and allows for easy understanding and
   management of complex rulesets. 
Its abilities to manage multiple CheckPoint enabled firewalls
   in a corporate network is a big plus as well.
However, Its *really* expensive stuff... Like $10,000.00
  for an unlimited license.
licensing is total nightmare. Don't ever plan on
  changing your external interface IP and be prepared
  to deal with scores of licenses. I bought two IP650
  firewalls and had to deal with about 24 licenses.
  the license everything from the software, support,
  chassis to the network cards. I think they would
  license the paint on the box if they could.
CheckPoint's documentation is lame as well. Plan to take
  their training if you intend to anything well with their
  firewall.
It doesn't seem to do state matching as well as iptables
  does. (Or at least I can't get it to work.

       Any help here?? For instance... If I let all traffic
     go out of my network the CheckPoint won't let
     traceroute responses back in. IPtables has no problem.

I think iptables will quickly grow to do more than
Checkpoint can and do it better.

fwbuilder is a GUI for iptables that looks promising but
I can't use it because it crashes all over the place on
me. (Like whatever my second click is... bam.)

I intend to develop and write a multi-firewall
management package for linux.  (ooops, cat out of
the bag) I just hope the fwbuilder guys get the
kinks out so that I don't have to write a gui for
it as well. (I'm not real good with gui building.)
I'ld also like to see the XML used by fwbuilder
cleaned up and formally defined so that validating
parsers could be used with it as well.

Anyhow... summary is don't bother with ipchains.
iptables is solid and much better in many ways.
CheckPoint is expensive and a bit of a setup hassle.

- Jeff

Skip Name wrote:
> 
> To all,
> 
> I am new to linux firewalls. I am looking for some
> suggestions as to which one should I look to learn and
> setup. Also, I've read on some articles that IPTABLES
> is much better than IPCHAINS but some of these
> articles also state that IPTABLES would not yet be
> recommended for production site. Can some of you
> please comment on this for me. I would like to know
> what are the problems and issues of IPTABLES that it
> would not be ready for a production environment. And,
> how about IPCHAINS is it the type of F/W that would be
> capable for a production environment as compared to
> other commercial products like checkpoint???
> 
> I am trying to staty away from dealing with a
> checkpoint product as it requires licensing and its
> heavy cost. Any suggestions and information would be
> greatful!!!
> 
> Thanks,
> tiger
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/