[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Firewalls/Routers - 3rd Round



Following what mulix and Dani wrote about iptables, I want to re-raise
a subject that was already discussed here, but without clear
conclusions: Linux firewalls/routers.

The "star" in the "first round" was Smoothwall, which is probably the
most professional among these products. However, it is based on
ipchains, which is - following what mulix and Dani said - a "no-go"
for most of us (but please read Moshe Bar's warning below).

I didn't join that discussion, so I started a "second round" later, but
with no clear results either. So let's try to have clear conclusions
this time:

Recently, some Linux router distros were established, based on 2.4 (i.e
with iptables), and some older (e.g. floppyfw) were ported from 2.2 to
2.4. The problem is that contrary to 2.2, where a clear winner was, it
is harder to judge here, as each solution has its own drawbacks: One is
still in beta, the other is commercial, the third is buggy, etc.

The following list contains only 2.4.* based Linux routers (i.e.
Smoothwall is excluded). General-purpose distros, even after hardening,
were excluded too, and only "dedicated" solutions were included.

Not all of them support the classic architecture: A bootable CDR/CDROM
(bigger enough to contain a "normal" OS - contrary to a floppy) that is
loaded into a ramdisk, with its configuration ("/etc") mounted from a
write-protected floppy (write-enabled only when re-configuring it), and
an optional "/var" mounted from an optional hard disk. Such an
architecture proves that even if a hacker breaks in, there is nothing
to damage (maybe except for the logs), and a reboot resets everything.

Not all of them provide a rules-GUI or a friendly script, but since it
is possible to run a GUI on another machine (for example - Firewall
Builder - http://www.fwbuilder.org ) and copy only the resulting rules
to the router, this feature is not a "must".

So please share your opinion/experience about the following:

Devil-Linux             http://www.devil-linux.org
Astaro Security Linux   http://www.astaro.org
Sentry Firewall         http://www.sentryfirewall.com
Shorewall               http://shorewall.sourceforge.net
Gibraltar               http://www.vianova.at/products/gibraltar
floppyfw-1.9.11         http://www.zelow.no/floppyfw
Start Up Linux          http://startuplinux.com

(I've tried none of them)

Just a last word of warning: Our friend Moshe Bar, wrote to me on
September 1:

> Don't use iptables. Go with 2.2.19 and ipchains. Iptables has a 
> security exploit which I and many others can use to enter your 
> network.

After being amazed by this warning, I asked for more details, and he
responded:

> It might have been fixed since, but last time I talked with Linus about
> it (around 25th of September, I believe) he was very much aware of this
> problem and in fact he said that at home he is still using 2.2.19 for
> firewalling. 
>
> Every kernel hacker, as far as I can tell, was aware of the problem.
> But, again, it might have been fixed since.

-- 
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.:   +972-9-766-1020          8 Yad-Harutzim St.
Fax.:   +972-9-766-1314          P.O.B. 7004
Mobile: +972-50-23-7338          Kfar-Saba 44641, Israel

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il