[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux Firewall
- To: Eli Marmor <marmor(at-nospam)netmask.it>
- Subject: Re: Linux Firewall
- From: Tzafrir Cohen <tzafrir(at-nospam)technion.ac.il>
- Date: Sun, 16 Sep 2001 22:30:47 +0300 (IDT)
- Cc: linux ILUG <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <3BA4E3F1.2F63AF77@netmask.it>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Please allow me to add something here
On Sun, 16 Sep 2001, Eli Marmor wrote:
> Hi,
>
> I already asked this question a few days ago, but - no answer, probably
> due to a too long and unclear question:
>
> I want to hear what is your experience and/or knowledge with Linux
> firewalls:
>
> 1. Standard Distros, after being hardened (i.e. RH/Mdk) vs. dedicated
> FW distros (LRP/Coyote/Devil/floppyfw/smoothwall) vs. another
> solution (?); What would you prefer?
BTW: speaking of standard distros, I saw this week in freshmeat aXon linux
http://www.axonlinux.org/ (warning: version pre-1.0, and site loaded with
hype and poor on documentation)
Regarding "hardening" of a standard distro:
There are many "firewall" scripts. Many of them are simply
ipchains/iptables scripts, but thereare some that "compile" a config file
to ipchain/iptabls scripts or similar.
Some of those scripts try to go beyond a simple script, and becode a more
complete system (e.g: what http://seawall.sourceforge.net/ is trying to
present itself as).
Is there any such "script" that looks like a relatively complete system?
>
> 2. In case you prefer "dedicated" FW distros, which is the best?
> (LRP/Coyote/Devil/floppyfw/smoothwall/etc.)
> Is it true that 2.4 support is important (for iptables)?
> (If it's true, then only Devil-Linux and maybe one other are relevant)
> What is the best way to distribute the I/O between the disks?
> (IMHO, the best is to use a bootable CDR, with /etc mounted from a
> write-protected floppy that is enabled for writing only when needed to
> be re-configured, and possibly a /var on HD or networked-syslog; Do
> you share my opinion? )
Note that no mechanism of "auto updates" can work here. Updating the
software is a relatively long process. This is probably not relevant for
you spesifically.
>
> 3. NAT (Network Address Translation, or IP Masquerading) is usually used
> to hide clients (DNAT) and not DMZ/servers (SNAT). Would you use SNAT
> too? IMHO, its advantages are the ease of replacing ISP and/or IPs /
> classes, as well as the option to divide different services of the
> same host (FTP/http/etc.) between different physical machines, and its
> disadvantage is more overhead (?). As to security, I don't have any
> idea if SNAT adds any security, since the servers remain accessible
> from outside (under control, of course...).
Depends what sort of access. If you only forward, say, ports 80 and 25 of
some server then most of its ports are not accessible from the outside
world, and a remote attcker won't be in a position to exploit the latest
proftpd hole.
This is before even adding a single packet-filtering rule on the server
itself.
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il