Hi,

I am wondering if an ipchains/iptables based firewall that is installed in front of a network is as good as a netscreen or PIX firewall? Are they much less secure or are they just as good?

Thank You,

Matt

They can be just as good. There are two reasons hosts will opt for a netscreen/PIX/checkpoint firewall over an ipchains/tables-based firewall:

1. Better configuration and monitoring tools. By better, I mean GUI, so it is easier for the employees to monitor what is happening with the firewalls, and make rule set changes.

2. These are dedicated, single purpose boxes so they should, in theory, be more secure. A person running ipchains/tables on a Linux, or *BSD box is running it on top of another operating system, so the firewall is subject to any exploits the OS is.

they can be as good

but the thing is, say when it comes to DOS attacks (Denial of service) ipchains, or iptables won't really help you.

I guess it all depends on how severe the attack is, in my experiences, ipchains / iptables will do nothing when you're getting hit.

only hardware firewalls can help

ipchains and iptables are good if you know how to use these powerful packet filtering software :)

There are many HowTo's around Internet how to build and setup packet filter software on unix/linux boxes