From the FWTK on-line documentation (at

For you curious folks, here is some combined FWTK history posted to the list by Marcus J. Ranum. and Frederick Avolio.

TIS, under a broader ARPA contract, developed the FWTK, and made it freely available under license on October 1, 1993. TIS has retained the commercial rights to the FWTK. The FWTK was, and is, freely available in source code form (as was TIS’s custom) for the research community. The FWTK has been retrieved by over 50,000 individuals on 6 continents. (We will issue a press release when we land Antarctica or a space station. If anyone *is* using this in space or in Antarctica, please let us know.)

Brian Reid and a couple of folks at DEC had a corporate gateway, called Paul Vixie took over operating it and was providing services to a growing list of folks inside the company – they’d telnet in and FTP out, or whatever. I worked in one of DEC’s sales support units, for Fred Avolio, and we had an Internet connection (9600 baud!!) via an aging MicroVAXII and Fred told me to clean it up some and “make it look like what Paul has in gatekeeper”  I think I have Fred’s original napkin drawing in my archives someplace. I keep meaning to look for it so I can frame it for him. 🙂 Gatekeeper in those days was what we’d now call a gateway host and there was a screening router built on another MicroVAX running an early Mogul screend. So I built something like that. But I didn’t want to give people accounts on it, so one Xmas break I wrote an FTP proxy in a fit of hacking. And it worked pretty well. So instead of giving out accounts like Paul did, I started giving people access via proxies. That worked real well. Then one of our sales guys, in a fit of enthusiasm, sold “a firewall like decuac” to a REALLY huge customer and I wound up cloning the system onto a couple of DECstations and that was, I believe, the first commercial Internet firewall. Then I had to write the documentation for the bloody thing, and so it needed a name, so we stole “SEAL” which the guys in Palo Alto had been talking about for a firewall product but what the heck, we’d already sold something. 🙂 The next best bet for the name, was “PIG” for “Packaged Internet Gateway” but that, as it were, didn’t fly. From that one customer, once the documentation had been written, sales took over and we got a little busy with firewalls from then on. 🙂

Fred went to TIS and Marcus was looking to leave DEC and [was going to go to a big place that recently IPO’d and would have made him a millionaire but he didn’t go there] he interviewed at TIS and got a job there instead. 🙂 And fate had it that about a month afterwards, ARPA called up and asked “do you guys know anything about these firewalls things?” and it turned out that the White House was going online and so proposals happened and then funding happened and so we were officially researching Internet firewalls and part of that effort included setting up and part of that effort included writing tools for which evolved into a chance to sit down and rethink firewalls and maybe write a better one…

I [Marcus Ranum] wrote all the code for the bloody thing, and all of the documentation, up until almost a year later when we hired Peter Churchyard who brought us the http proxy and Wei Xu who wrote the X proxy. While they were doing that, I kitted the whole thing up on an Intel box and that was the GauntletV1.0. Pete and Wei and Char and Dave subsequently took over the hard work of actually making things work, and I became a useless suit at that point, yakking on the phone all day and generally being a pain in the neck. 🙂 Though I no longer work at TIS, I am still a pain in the neck. 🙂

Our purposes for releasing the FWTK were:

We think all would agree that we achieved our goals.


We delivered the FWTK v1.0 to DARPA (by putting it on TIS’ FTP site and telling them) on October 1, 1993 and Marcus installed it for a customer — DunsNet — the next day. This is why it took him a while to announce it on the firewalls mailing list. Marcus announced it on the firewalls mailing list October 21. As early as v1.0, the firewall toolkit had “application intelligence,” also known as “application awareness,” and “deep packet inspection.” We just weren’t marketing guys.