[6bone] Re: Commercial IPv6-ready firewall products?

[Chuck Yerkes]

Quoting Michel Py (michel@arneill-py.sacramento.ca.us):
> > David Carmean wrote:
> > W.R.T. the Juniper and Cisco ACL suggestions...
> > at the very least I will insist on a stateful packet
> > filter, if not stateful inspection.
> 
> I agree. Something like a reflexive access-list is a good beginning, but
> you can't really call something a firewall unless it has stateful
> inspection and goodies such as syn/ack detection.

I've just fought Checkpoint problems (true bugs, it 
seems) at a client; I've dealt with several "commercial"
firewalls that just aren't reliable and don't have the
tools to debug them well (sniffing both nets with tcpdump
does not count).

I'm just delighted to keep using IPFilter, as I have been since
1995.  It runs on my 12cm x 8cm x 2cm Soekris box (no fan, no
drive, faster than my net will be soon).  It doesn't have a
pretty GUI, but I've maintained for 10 years that if vi(1) is
too hard for you to use, then you shouldn't be running a
firewall.  TCP/IP{4,6} firewalling is complex.  A pretty GUI
doesn't make it less so.

It understands state, various flags.  best: It runs on my SGI, Suns,
Open|Net|Free BSD boxes.

And it's better supported than many $$$$$$ tools.