Checkpoint VPN-1/FW1 and
FreeBSD's IPSec Integration
By Neil Camara
This guide will walk you through setting up your freebsd machine and debian machine on
site-to-site vpn through IPSec. This document is not for the faint of heart.
Below is my hypothetical network which we will use throughout the document.
192.168.0.122 192.168.0.115
/ \
CPfw-1 / \ IPfilter
on Debian 2.2 / \ on FreeBSD 4.5
0.12 +--+ / \ +--+ 0.100
+--+ | | / /-----\ \ | | +--+
| | 0.1| |/ /// \\\ \| |0.1 | |
+--+ +---+ +-------+ internet +-------+ +---+ +--+
---+-- | | | \\\ /// | | | ---+--
+--------+ | +--+ \-----/ +--+ | +-----+
| | | |
++-+--+ +--+-++
+-----+ +-----+
172.17.x.x/16 172.16.x.x/16
CPfw-1 Protected Net IPF Protected Net
Mission
Our goal here is to setup two different firewalls and let them talk together using standard encryption
protocol and that is IPSec. We also need to implement a policy so that CPFW-1's protected
network (172.17.0.0/16) will be able to established communication with IPF's protected network (172.16.0.0/16).
Let's Get Started
Here are the things you need for your own test lab.
1.) I used 2 intel machines for the 2 firewalls
2.) Each of those 2 machines are equiped with 256mb ram
3.) 4pcs. network interface cards (I used 3c905x on Debian and Intel Pro on Freebsd)
4.) 6pcs. straight UTP cables and 2 hubs (you can use cross-over cable to minimize number of hubs)
5.) And another 2 workstations that you will use for your testing (those 2 will be in the protected networks)
Building your FreeBSD machine
You can grab an ISO from ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/4.5 and burn that iso image
to a cd. Burning of ISO images is beyond the scope of this document. Or you can just buy FreeBSD software
from http://www.freebsdmall.com/
Once you've installed your FreeBSD boxen, I highly recommended rebuilding the kernel and updating your ports
collection. Rebuilding the kernel allows you to explicitly specify the hardware that only exists on your puter.
You ask, what does that mean? That means, we will be freeing up resources that aren't needed.
Here is how you will rebuild your kernel. You must be root! You must also have an internet connection.
1. update your /usr/src. This is done by editing /usr/share/examples/cvsup/stable-supfile and using this file with cvsup.
Normally, you would only edit the CHANGE_THIS string. I always use cvsup14.freebsd.org.
---snipped from stable-supfile---
*default host=CHANGE_THIS.FreeBSD.org
mine is *default host=cvsup14.FreeBSD.org
Now, start the cvsup
# cvsup -g -L2 /usr/share/examples/cvsup/stable-supfile
You will see a lot of scrolling text. Don't worry, it's normal. It means that you were able to successfully
login to the cvs server and it started retrieving files. If not, yell at your firewall admin and tell him to
open up port 5999/tcp.
2. create your own KERNEL file. An example is GENERIC which you can find in /usr/src/sys/i386/conf directory.
I created one and named it as TUNED.
Note: The ident attribute inside TUNED file should correspond to the filename used.
3. Now it's time to rebuild your kernel. You can find my other document on rebuilding the kernel on this link.
It's kinda old but still applicable.
4. I also recommend that you upgrade your /stand/sysinstall after the mergemaster command given on the link
in step 3. Refer to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, item 19.4.12.
NOTE: The file TUNED which I created contains IPSEC support.
Just in case you don't want to take a look at that file, here is what you'll add on your kernel file:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
Building your Debian machine
Installation of Debian is straight forward. I downloaded the Debian ISO image from http://www.linuxiso.org and the
version is 2.2r5. I got a problem and that is, Debian didn't detect my lan cards.
I was really shocked because the lan card that was not detected was 3com 3C905 TX.
So again, I had to rebuild my kernel to add support for that lan card. It's actually my first time touching Debian.
Since Debian is also linux anyway, I tried the old way of recompiling the kernel.
Along the rebuild, I had some errors like, curses.h was not found so I had to install libncurses. And also
during the make, as86 was not found. as86 is included with the bin86 package so install this one also.
To cut it short, the rebuilding of the kernel was successful.
Here is the procedure on how to recompile your linux kernel.
1.) downloaded linux-2.2.20-tar.gz from http://www.kernel.org and burned it to a cd
2.) moved that file to /usr/src and untarred it, tar zxvf linux-2.2.20.tar.gz
3.) cd /usr/src/linux; then make menuconfig. I started tweaking the kernel
4.) make dep clean modules modules_install bzImage
5.) copied arch/i386/boot/bzImage to /boot and modified lilo.conf
6.) rebooted my machine
Now, the two(2) 3c905 TX nics were detected. :-)
Network configuration of the 2 opensource unix o.s.
In freebsd, the files that needs to be edited are:
1.) /etc/rc.conf
2.) /etc/resolv.conf
3.) /etc/hosts
Here is my rc.conf file:
defaultrouter="192.168.0.254"
gateway_enable="YES"
hostname="ipsec.remingtonltd.com"
ifconfig_fxp0="inet 192.168.0.115 netmask 255.255.255.0"
ifconfig_fxp1="inet 172.16.0.1 netmask 255.255.0.0"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
While in debian, the files I edited are:
1.) /etc/hosts
2.) /etc/network/interfaces
3.) /etc/resolv.conf
Here is my /etc/network/interfaces file:
iface lo inet loopback
iface eth0 inet static
address 192.168.0.122
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
gateway 192.168.0.254
iface eth1 inet static
address 172.17.0.1
netmask 255.255.0.0
broadcast 172.17.255.255
network 172.17.0.0
After finishing the networking configuration of the 2 o.s., I fired up ping and it was successful.
IPfilter firewall configuration on FreeBSD
IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services.
More information can be found at http://www.ipfilter.org/.
Going back to my /etc/rc.conf, you would notice that ipfilter_enable is set to "YES" on boot. Since we already did
add support on ipfilter on the kernel, we won't see any errors during bootup while IPfilter is being initialized.
This also means that our freebsd is ready to protect the internal network.
Since we will be using IPSec, you, as a firewall administrator should know about the ports needed by IPSec to successfully
established site-to-site vpn.
Fortunately, I'm generous today. Here are the ports that needs to be opened.
1.) protocol 50, ESP Encap Security Payload for IPv6 [RFC1827]
2.) protocol 51, AH Authentication Header for IPv6 [RFC1826]
3.) UDP protocol 17 on port 500, IPSEC Internet Key Exchange [RFC2409]
You can find my /etc/ipf.rules here and my ipnat.rules here.
VPN Policy Configuration
Next, we have to create a policy. We will use setkey tool. The setkey allows us to manually manipulate the
IPSec SA/SP database. Refer to manpage setkey(8).
The policy that you're going to create must include the remote's internal network. The policy will also include
the tunnel ip address.
Here is the script which I used to set up SAs. It is saved in /usr/local/etc/rc.d. Filename I used was 5tunnel.sh.
/usr/local/etc/rc.d/5tunnel.sh
#!/bin/sh
#
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd 172.16.0.0/16 172.17.0.0/16 any -P out ipsec esp/tunnel/192.168.0.115-192.168.0.122/require;
spdadd 172.17.0.0/16 172.16.0.0/16 any -P in ipsec esp/tunnel/192.168.0.122-192.168.0.115/require;
EOF
After you have created this script, you should set the execute bit permission so that it will run.
chmod +x 5tunnel.sh
This script will always be run automatically on bootup.
To learn more about IPSec, in (Free|Open|Net)BSD, visit http://www.x-itec.de/projects/tuts/ipsec-howto.txt
Installing Racoon
Now, we need to find a way on how to facilitate negotiation of IPsec keys on the FreeBSD GW. The script
we created cannot handle this. Luckily, racoon is included on the Freebsd Ports Collection. Racoon can be installed
from the ports.
To install racoon:
cd /usr/ports/security/racoon && make install
This will install the racoon daemon and also create the directory /usr/local/etc/racoon.
Next thing we'll do is to modify racoon.conf in /usr/local/etc/racoon directory. Below is the working copy
for my test lab.
/usr/local/etc/racoon/racoon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
# This file contains the remote firewall ip address and the pre-shared key
# The permission of this file should be 600 or racoon will complain. Might not run also.
# chmod 600 /usr/local/etc/racoon/psk.txt
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
# I turned this on so that I will be able to figure out what's happening.
# Enable it until everything is ok.
log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 10 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Firing up racoon
You can create your own script so that on bootup, racoon will be automatically executed.
Here is the content of /usr/local/etc/rc.d/6racoon.sh
/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf
Don't forget to set execute bit on 6racoon.sh file.
Check if your racoon is working by showing the processes.
# ps ax |grep racoon
221 ?? Is 0:01.04 /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
While on my /var/log/racoon.log, it contained:
2002-03-22 23:43:09: INFO: main.c:167:main(): @(#)package version 20011215a
2002-03-22 23:43:09: INFO: main.c:169:main(): @(#)internal version 20001216 sakane@kame.net
2002-03-22 23:43:09: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6a 5 Apr 2001 (http://www.openssl.org/)
2002-03-22 23:43:09: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp1024)
2002-03-22 23:43:09: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp1024)
2002-03-22 23:43:09: DEBUG: pfkey.c:2240:pk_checkalg(): compression algorithm can not be checked because sadb message
doesn't support it.
2002-03-22 23:43:09: DEBUG: pfkey.c:2240:pk_checkalg(): compression algorithm can not be checked because sadb message
doesn't support it.
2002-03-22 23:43:09: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.
2002-03-22 23:43:09: DEBUG: pfkey.c:2240:pk_checkalg(): compression algorithm can not be checked because sadb message
doesn't support it.
2002-03-22 23:43:09: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.
2002-03-22 23:43:09: DEBUG: grabmyaddr.c:205:grab_myaddrs(): my interface: 192.168.0.115 (fxp0)
2002-03-22 23:43:09: DEBUG: grabmyaddr.c:205:grab_myaddrs(): my interface: 172.16.0.1 (fxp1)
2002-03-22 23:43:09: DEBUG: grabmyaddr.c:205:grab_myaddrs(): my interface: 127.0.0.1 (lo0)
2002-03-22 23:43:09: DEBUG: grabmyaddr.c:472:autoconf_myaddrsport(): configuring default isakmp port.
2002-03-22 23:43:09: DEBUG: grabmyaddr.c:494:autoconf_myaddrsport(): 3 addrs are configured successfully
2002-03-22 23:43:09: INFO: isakmp.c:1357:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6)
2002-03-22 23:43:09: INFO: isakmp.c:1357:isakmp_open(): 172.16.0.1[500] used as isakmp port (fd=7)
2002-03-22 23:43:09: INFO: isakmp.c:1357:isakmp_open(): 192.168.0.115[500] used as isakmp port (fd=8)
2002-03-22 23:43:09: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-03-22 23:43:09: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message
2002-03-22 23:43:09: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff954: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any
dir=out
2002-03-22 23:43:09: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a3c08: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any
dir=in
This means that you have properly configured your racoon.
Installation of Checkpoint on Debian
Here is a very quicky but working step on installing Checkpoint 4.1.2 3DES on a Debian system.
Credits goes to Christian Mock. I also would like to thank Robert Waldner for sharing
his ideas.
Needed packages:
- alien (for the rpm's)
- csh (for FW1s scripts)
- tcsh (ditto)
- libstdc++2.9-glibc2.1
TIP: make a _huge_ /opt, it installs there
Install FW1 with:
`alien -i CPfw*rpm`
Now add to /etc/profile:
.-.-.-.-.
FWDIR=/etc/fw
PATH=$PATH:$FWDIR/bin
export FWDIR
.-.-.-.-.
Add "/etc/fw/bin" to /etc/login.defs and /root/.profile.
Perform these steps:
# echo "#!/bin/sh"> /etc/rc.d/rc.local
# chmod 755 /etc/rc.d/rc.local
# mkdir -p /etc/rc.d/rc2.d
# ln -s /etc/rc.d/init.d/fw1boot /etc/init.d
# ln -s /etc/rc.d/rc.local /etc/init.d/fw1
# update-rc.d fw1boot start 41 S . start 36 0 6 .
# update-rc.d fw1 defaults
# touch /boot/System.map
# ln -s /usr/bin/tcsh /bin
When cpconfig asks "want to start automatically from /etc/rc.d/rc.local", answer "yes".
Checkpoint FW-1 configuration
We're finished configuring FreeBSD+IpFilter+Ipsec. Also, Checkpoint 4.1.2 is also installed.
We will start by creating a workstation object for FreeBSD gateway.
To recall our hypothetical network, below is the information needed to continue on with
the configuration of Checkpoint.
FreeBSD-external = 192.168.0.115/255.255.255.0
-internal = 172.16.0.0/255.255.0.0
Debian-CP-external = 192.168.0.122/255.255.255.0
-internal = 172.17.0.0/255.255.0.0
To create objects, you will use this icon on the toolbar.
or you can use the menu bar
Step 1: Create a workstation object for FreeBSD firewall
Figure 1. freebsd workstation object
Step 2: Create a network object for the network that is being protected by FreeBSD.
This network object will be placed inside BSD-encdomain group later.
Figure 2. freebsd protected lan network.
Step 3: Create a group and name it as BSD-encdomain. This group will contain
the network object freebsd-lan.
Figure 3: Group Properties of BSD-encdomain
Step 4: Now, we need to modify the VPN tab of freebsd workstation object.
Select Other then select BSD-encdomain. Make sure IKE is checked.
Figure 4: VPN tab of freebsd workstation object.
Step 5: Edit the IKE properties. Make sure that "Supports Aggresive Mode" and "Supports Subnets" are checked.
Don't forget to check 3DES, MD5 and Pre-shared Secret since this are the algorithm and encryption that we
enabled on the FreeBSD.
Figure 5: IKE Properties
We're finished creating the objects related to FreeBSD. Now we're going to modify/create other objects of Checkpoint.
Step 6: You can modify your firewall object. Mine looks like this.
Figure 6: Workstation Properties of debian (the Firewall Gateway)
Step 7: Create a network object of the network that is being protected by your Firewall-1 firewall.
Normally, when you use the wizard, this is also created automatically for you.
Figure 7: Network properties of localnet
Step 8: Create a group and name it as FW1-encdomain. This group will contain
the network object localnet.
Figure 8: Group Properties of FW1-encdomain
Step 9: Now, we need to modify the VPN tab of "debian" workstation object.
Select Other then select BSD-encdomain. Make sure IKE is checked.
Figure 9: Workstation properties of debian workstation object.
Step 10: Edit the IKE properties. Make sure that "Supports Aggresive Mode" and "Supports Subnets" are checked.
Don't forget to check 3DES, MD5 and Pre-shared Secret since this are the algorithm and encryption that we
enabled on the FreeBSD.
Figure 10: IKE Properties of debian workstation object
Step 11: Click on Edit Secrets. This is where you will configure the pre-shared key. This is just any string.
For our test lab, I just used "secret" string. This should match the psk.txt file in freebsd.
After setting the pre-shared secret in the Firewall-1 Network Object definition, place this
secret in /usr/local/etc/racoon/psk.txt on FreeBSD GW. The format for psk.txt is:
192.168.0.122 secret
Don't forget to chmod 600 this file.
We're done with the creation of objects but we're not yet finished. :-)
Firewall-1 VPN Rule Configuration
Now, we need to create a rule so that the packets coming from FreeBSD protected net will be encrypted and
likewise on the Firewall-1 side.
Explanation
1. Rule 2 will accept IPsec communication between debian CPFW-1 and FreeBSD IPFilter.
2. Rule 3 will encrypt communication between FW-1 protected net and IPfilter protected net.
3. Rule 4 - I included this rule so that it will be easier for readers where to place the 2 rules above.
So you think we're done? I think not but one more :-).
I've never seen this on Checkpoint PDF file(s). It was not documented.
Fortunately, I saw it on page 340, item 10.8 of "Essential Checkpoint Firewall-1 by Dameon D. Welch-Abernathy".
That guy is phoneboy :-) Great job dude!!!
NAT is applied before a packet is encrypted or applied after decryption.
NOTE: Assuming we don't have this rule., and if you try connecting from behind the checkpoint fw-1 to
the network 172.16.0.0 network, your packet will be rewritten. In this case, establishing connection
to 172.16.0.0 will fail.
If you think you have done everything, install the new Policy.
Captured logs from Checkpoint Log Viewer
This was taken from the logs of Checkpoint Firewall-1.
Workstation 172.16.0.100 initiated a webmin session (port 10000) to 172.17.0.12.
The same workstation sent a ping request to 172.17.0.12.
TCPDUMP logs
Workstation 172.16.0.100 established a connection to 172.17.0.12 via webmin (port 10000)
Here's my tcpdump params:
# tcpdump dst port 10000 or src port 10000 or esp
22:15:06.170286 192.168.0.115 > 192.168.0.122: ESP(spi=0xf915f925,seq=0x1c)
22:15:06.170296 172.16.0.100.1100 > 172.17.0.12.10000: S 831974464:831974464(0) win 32120 (DF)
22:15:06.171151 172.16.0.100.1100 > 172.17.0.12.10000: S 831974464:831974464(0) win 32120 (DF)
22:15:06.171387 172.17.0.12.10000 > 172.16.0.100.1100: S 1773788391:1773788391(0) ack 831974465 win 32120 (DF)
22:15:06.172531 192.168.0.122 > 192.168.0.115: ESP(spi=0x009fc4f7,seq=0x3d)
22:15:06.172715 172.17.0.12.10000 > 172.16.0.100.1100: S 1773788391:1773788391(0) ack 831974465 win 32120 (DF)
22:15:06.172912 192.168.0.115 > 192.168.0.122: ESP(spi=0xf915f925,seq=0x1d)
22:15:06.172919 172.16.0.100.1100 > 172.17.0.12.10000: . ack 1 win 32120 <nop,nop,timestamp 88537361 27795895> (DF)
22:15:06.173479 172.16.0.100.1100 > 172.17.0.12.10000: . ack 1 win 32120 <nop,nop,timestamp 88537361 27795895> (DF)
Tailing racoon logs
Here is a snipped from /var/log/racoon.log
2002-03-21 19:48:00: DEBUG: oakley.c:389:oakley_compute_keymat(): KEYMAT computed.
2002-03-21 19:48:00: DEBUG: isakmp_quick.c:647:quick_i2send(): call pk_sendupdate
2002-03-21 19:48:00: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des)
2002-03-21 19:48:00: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_md5)
2002-03-21 19:48:00: DEBUG: pfkey.c:971:pk_sendupdate(): call pfkey_send_update
2002-03-21 19:48:00: DEBUG: isakmp_quick.c:652:quick_i2send(): pfkey update sent.
2002-03-21 19:48:00: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des)
2002-03-21 19:48:00: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_md5)
2002-03-21 19:48:00: DEBUG: pfkey.c:1212:pk_sendadd(): call pfkey_send_add
2002-03-21 19:48:00: DEBUG: isakmp_quick.c:659:quick_i2send(): pfkey add sent.
2002-03-21 19:48:00: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey UPDATE message
2002-03-21 19:48:00: DEBUG: pfkey.c:1100:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 192.168.0.122->192.168.0.115 spi=184590122(0x
b009f2a)
2002-03-21 19:48:00: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 192.168.0.122->192.168.0.115 spi=184590122(0xb00
9f2a)
2002-03-21 19:48:00: DEBUG: pfkey.c:1145:pk_recvupdate(): ===
2002-03-21 19:48:00: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey ADD message
2002-03-21 19:48:00: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192.168.0.115->192.168.0.122 spi=1363518081(0x5145a
281)
Links that helped me
FreeBSD Handbook: IPSEC
http://www.freebsd.org/handbook/ipsec.html
IPSEC Tunnel
http://www.freebsddiary.org/ipsec-tunnel.php
VPN Information on the World Wide Web
http://vpn.shmoo.com/
FreeBSD IPSEC mini-HOWTO
http://www.x-itec.de/projects/tuts/ipsec-howto.txt
FreeBSD mini-IPSEC HOWTO
http://www.daemonnews.org/200101/ipsec-howto.html
KAME Project
http://www.kame.net/
About me
Neil Camara is a Network Security Engineer in Illinois. He's got more than 6 years of experience in Information Technology.
Currently, he's working for a consulting company in Schaumburg, Illinois. He provides opensource solution such as setting
up of antispam server (Postfix), network intrusion detection system (Snort) and firewall solutions (IPFilter, Netfilter).
He's not only focused with opensource applications but also with commercial ones. On the commercial side, he provides
firewall solution such as Checkpoint, PIX and Nokia.
At home, he's got a lab and plays with openbsd, freebsd, linux, solaris(sparc & intel) and windows (98/2000).
Created: March 23, 2002 12:52AM
This copy of this information is hosted by AERAsec