Posted by: Anonymous Coward
on March 14, 2005 03:44 AM
I must take exception to your comment that iptables being a command-line tool makes SmoothWall Express a "not complete" firewall. This is just dead wrong and a misrepresentation of what constitutes a "complete" firewall. For the purposes of your article, we will for now assume that we're talking about "one box" between your trusted network and the Internet, though obviously there's more to it than that.
As a long-time firewall administrator for a large school district (my "customers", i. e. employees and students, number about 250,000), I should inform you that most firewalls that are actually good (e. g. Cisco PIX, OpenBSD pf) are in fact command-line based. Even the Windows-favoring Check Point, with its history of backdoors installed in the product, at times requires the command line, yes, even on Windows boxes. I have found iptables and netfilter, as well as the OpenBSD pf, to be about as full-featured as a PIX, one of several excellent firewall solutions out there. I would hardly call any firewall based on iptables "incomplete".
By your logic, only SonicWalls and other "home broadband" grade of firewalls that use a Web browser for *everything* are "complete" firewalls. I guess this makes virtually every enterprise-grade firewall "not complete", eh? Gee, I wonder what you must think of routers, then...what type does your school use, and is it "complete" by this standard?
Now, that said, a "complete" firewall solution really is not a matter of "one box," be it a PIX, SonicWall, SmoothWall Express, or otherwise. It encompasses physical security, operational security, personnel security, and a host of other things. By *this* definition, which is the more correct one, all "one-box" firewall solutions are by themselves "not complete", but it's not because they use the command line for certain things.