Gibraltar Firewall 2.6

Gibraltar is a Debian GNU/Linux-based firewall package which is bootable directly from CD-ROM, so hard disk installation is not necessary. The configuration data is optionally stored on a hard disk, floppy disk, or an USB storage device.

Gibraltar was developed specifically for small-sized to medium-enterprises and fulfils all demands on an up-to-date firewall package.

Gibraltar has evolved from a pure firewall to a powerful and reliable Universal Threat Management application.

The Gibraltar Firewall monitors all incoming and outgoing network connections and controls the entire network traffic. For this purpose, all incoming data packets are analyzed in respect to several different criteria. Depending on the firewall policies, data will alternatively be forwarded, rejected and/or logged. Firewall rules (policies) can easily be built depending on service, source and destination port, source and destination address, interface, protocol or MAC address.

Important firewall rules against dangerous DoS attacks (Denial of Service) and DDoS attacks (Distributed Denial of Service), like TCP SYN flood or ICMP flood, are preconfigured and activated per default.

Stateful Packet Inspection

Gibraltar is able to identify the state of an internet connection at any time. This is very important, because there is a difference of data packets which are initiating a connection and data packets which are answer packets to a previously initiated connection. This main feature of Gibraltar, which increases the security and simplifies the configuration, is called Dynamic Packet Filter or Stateful Packet Inspection.

Application Level Filtering (Deep Packet Inspection)

Using several powerful proxy servers, Gibraltar is not only able to analyze the network traffic in respect of formal criteria, but also to inspect and decode the content of the transferred data (payload). The proxy servers are capable of examining the traffic on application level (e.g. like an e-mail client). For this reason it is possible to check the traffic of important internet services against viruses and other dangerous content.

Restriction of P2P services

Gibraltar is able to restrict or prohibit file sharing using P2P (Peer2Peer) software like eDonkey or similar services. This is even possible, if those services are using basically permitted protocols and ports (e.g. HTTP).

Address Translation (NAT)

Gibraltar is able to translate internal IP addresses into public IP addresses. This is possible for static IP addresses (NAT) as well as dynamic IP addresses (masquerade). Incoming connections can be redirected to different destinations, depending on source and destination port, source and destination port, service and protocol. So it is also possible to pass on all incoming web requests to several different web servers (load balancing).

Simple operation

Gibraltar can either be installed and configured with the easy to use web based configuration tool (SSL) or directly on the system console (SSH). In addition to the comprehensive online help several configuration scenarios are available for the firewall administrator.

Logging and Monitoring

Gibraltar logs all relevant system events automatically and each network connection by request. Over and above, many different graphical reports are available.

Gibraltar Firewall 2.6 major features:

• Web filtering based on dynamic content inspection in addition to the usual blacklist-based approach. The combination with classification techniques provided by Puresight allow the filter to deal with web pages not listed in the blacklists, and therefore offers wider coverage and less updates of URL databases.
• SSL-VPN, i.e. a HTTPS portal to Intranet services with the SSL Explorer community addition and some of its extensions.
• A captive portal based on Chillispot, e.g. for WLAN hotspots.
• An OpenVPN module in the web administration interface.
• A unified user management based on OpenLDAP and Freeradius. User authentication for the HTTP proxy, SMTP, IPSec user certificates, IPSec/L2TP, PPTP, OpenVPN, and the captive portal is now done via a single user database, either the internal or an external LDAP server or Microsoft Active Directory for better integration with heterogeneous environments.
• The traffic shaping module has been completely re-designed for more flexibility and to support complex shaping scenarios, including but not limited to Internet providers, centralized application service providers, and mixing VPN (IPSec) traffic with normal traffic (e.g. for VoIP connections). Pre-defined priority classes cover the usual must-be interactive traffic (e.g. DNS, ICMP, SYN- and purely ACK-packets, etc.) and low-priority traffic (based on TOS flags).
• Various additions to the integrated Spamassassin improve its detection ratio, e.g. the FuzzyOCR3 and PDF plugins for the respective types of Spam. A general Spamassassin update now also supports the automatic updating of its internal rules database.