[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux Firewall
- To: linux ILUG <linux-il(at-nospam)linux.org.il>
- Subject: Re: Linux Firewall
- From: Eli Marmor <marmor(at-nospam)netmask.it>
- Date: Sun, 16 Sep 2001 23:23:09 +0200
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Organization: Netmask (El-Mar) Internet Technologies
- References: <Pine.LNX.4.33L2.0109162143070.16820-100000@canada1.technion.ac.il>
- Sender: root(at-nospam)main.aquanet.co.il
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Tzafrir Cohen wrote:
> On Sun, 16 Sep 2001, Eli Marmor wrote:
> > 1. Standard Distros, after being hardened (i.e. RH/Mdk) vs. dedicated
> > FW distros (LRP/Coyote/Devil/floppyfw/smoothwall) vs. another
> > solution (?); What would you prefer?
>
> BTW: speaking of standard distros, I saw this week in freshmeat aXon linux
> http://www.axonlinux.org/ (warning: version pre-1.0, and site loaded with
> hype and poor on documentation)
Looks cool...
However, while it may be a perfect replacement for home residential
gateway or SOHO Internet appliance, it can't replace a business FW.
In a business, you would want to divide the jobs of that server between
3 separate machines: One as the office server (SAMBA/FAX/etc.), one as
an external server (DMZ) (WEB/DNS/etc.), and one as a minimalistic
router/firewall. I'm afraid that there is a danger in putting jobs like
Samba and e-mail (and even a Swiss cheese like IMP!!!) in the router/FW
machine.
> Some of those scripts try to go beyond a simple script, and becode a more
> complete system (e.g: what http://seawall.sourceforge.net/ is trying to
> present itself as).
No iptables support (2.2-based...).
> Is there any such "script" that looks like a relatively complete system?
>From my little "research", I got to the following conclusion:
Instead of taking an (easily breakable) complex distro and using
advanced tools to configure FW, you should take the most minimalistic
distro you can (but with 2.4 kernel). As to ease of configuration - you
should not worry; Tools like Firewall-Builder, can be run from other
machines, and only their generated output should be taken and copied to
the target machine, so the target can be really minimalistic, and you
don't need X/GNOME/etc., although the tool you use requires it.
> > 3. NAT (Network Address Translation, or IP Masquerading) is usually used
> > to hide clients (DNAT) and not DMZ/servers (SNAT). Would you use SNAT
> > too? IMHO, its advantages are the ease of replacing ISP and/or IPs /
> > classes, as well as the option to divide different services of the
> > same host (FTP/http/etc.) between different physical machines, and its
> > disadvantage is more overhead (?). As to security, I don't have any
> > idea if SNAT adds any security, since the servers remain accessible
> > from outside (under control, of course...).
>
> Depends what sort of access. If you only forward, say, ports 80 and 25 of
> some server then most of its ports are not accessible from the outside
> world, and a remote attcker won't be in a position to exploit the latest
> proftpd hole.
>
> This is before even adding a single packet-filtering rule on the server
> itself.
So - what is your recommendation?
And does SNAT add any overhead?
Thanks,
--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il