Frequently Asked Questions
1. General parts
1.1. What is Open-Firewall ?
Well, it is difficult to answer that. Open-Firewall is NOT a coffee machine. Open Firewall is not just a packet
filter implementation or HowTo. It is not a GUI to make packet filter rules ... Open-Firewall is not just another proxy implementation (well, it is near that).
Open-Firewall is a way to agregate some
good technologies to make a robust and fast application level complete firewall. It may be possibly an adaptative firewall.
To achieve this goal, we are going to centralize important configuration in a file and generate OS dependant and software dependant configuration files, and we are going to implement a common proxy API for security purposes. Then, we will provide log analysis, IDS communication, and GUI administration.
1.2. Why yet another Free and Open Firewall ?
Since I have begun my work on a french application filtering firewall (something that looks like fwtk - TIS Firewall ToolKit), I am working to make this product becoming firewall leader in industry market. Okay, That's not the reality today ... But I used to try ...
Today, the company decided to close the agency where I am working
Well, I must continue my project of making something good, efficient, and usefull, but not alone. So, I decided to make this Open Firewall.
I know there are some, but I think they are not well designed, or they have not enough functionality for me, or they address only one part of the real problem (only packet filtering, only application gateways ...). For me, I want to write a Complete and Secure Firewall, based on Common Criteria standards, and to provide a very secured and easy-to-use and easy-to-configure low-cost solution for all companies that need Internet Security.
1.3. So you plan to redevelop an entire secured system ?
Are you mad ? In fact, I plan to integrate the most possible stable things, and develop a piece of software that are missing. For example, I do not want to develop an IHM system, and get problems with portability. I will try to find the best windowing toolkit for my needs. Another example: I do not want to develop a Packet Filter, while some are very good. But I need to integrate and abstract the features to make a product clean and easy to use. No matter of packet filtering module I use, but configuration management for this packet filter must be coherent with proxy parts, and so on ...
1.4. How do I get started with Open Firewall ?
Open-Firewall development started in 2004. For the moment, there are some binaries, with some features ... Nothing really runs, and nothing is running with the required quality for a firewalling systems.
I am starting the needed guides for an administrator to run this open-firewall. This is a work in progress. It is soon released as a draft version (an alpha draft version !!).
1.5. I am interested in your project, I would like to contribute
Thank you ! A first version of the sdk is working. You should checkout open-firewall-core and open-firewall-pluginsmodules for samples.
1.6. What license is Open-Firewall distributed under ?
Open-Firewall source code is distributed under the OFPL 1.1 license, the Open Firewall 1.1 Public License. You should find informations about it in license page., and documentations are distributed using specific license, taken from the license used for The Linux Documentation Project, http://www.tldp.org/.
1.7. Can Open Firewall be used in commercial products ?
The vast majority of the source code used in Open Firewall does not have any restrictions on commercial use. However, a few small portions may be used commercially without the prior permission of the copyright holders. You should either obtain the proper permissions or compile without these pieces of code. See the LICENSE file distributed with Open Firewall for more information.
Note that Open-Firewall parts should be included in any software WITHOUT ANY WARRANTIES
2.1. Why Open-Firewall on MS Platform ?
Well, in fact, it was not primarily designed for Wind$ws OS. But APR is working on Wind.ws.
So, why not OF ? Technically speaking, there is just a (very important, yes) problem:
It is not easy to reinject IP packets into TCP/IP stack. As long as DDK is not freely available, it is not possible for me to write such driver. But you can have minimal support :
- using just a plugin which will not make any transparency/NAT
- Or sniffing all packets and choose to allow or deny them
You should take a look at : Developping Firewalls for W2K/XP, OpenSource Firewall for Windows (no reinject), TDI-Based Open Source Personal Firewall for NT4/2000?