[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UCFW: Mini-Distros for FW (and SNAT - masquerading the DMZ)
- To: linux ILUG <linux-il(at-nospam)linux.org.il>
- Subject: UCFW: Mini-Distros for FW (and SNAT - masquerading the DMZ)
- From: Eli Marmor <marmor(at-nospam)netmask.it>
- Date: Sun, 09 Sep 2001 13:56:22 +0200
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Organization: Netmask (El-Mar) Internet Technologies
- References: <Pine.GSU.4.30_heb2.09.0109091236430.10668-100000@actcom.co.il>
- Sender: root(at-nospam)main.aquanet.co.il
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hi again,
Let me introduce a subject for dicussion, that interests many people on
one hand, and that (I believe) some others have experience in.
Since mulix' lecture, there were several threads about the issue of
firewalls, and various firewalls were mentioned (e.g. Smoothwall).
The question: What mini-distribution would you prefer in general, and as
a firewall in particular?
Opinions based on experience are the best. The only thing I can
contribute is my own thoughts: I believe that all of the 2.4 distros are
superior (thanks to the iptables/stateful-inspection). In addition,
distros which come on a bootable (read-only) CD (or ZIP/floppy), and
that all their configuration (/etc) resides on a media that can be made
write-protected under usual usage, look more suitable for this task (if
you want logging, you will still need a writable media, but this can be
a mounted device or a networked one, that even after being written, no
damage will be caused to the configuration or the core system).
GUI is not necessarily an issue, since one can run the GUI and build the
configuration files on one computer (e.g. with X etc.), and install the
resulting rules on the target machine.
I found some distros at freshmeat, such as devil-linux, that meet all
requirements. It is possible even to build your own mini-distro (Joel
Isaacson lectured about it), but it may waste more time.
Can anybody contribute more details from his experience or knowledge?
A side question is the issue of SNAT: It is possible to masquerade not
only the internal LAN, but also the DMZ (the external servers). What do
you think about it? Is it more secure? I guess it helps to change the
IPs that the ISP allocates, in the future, more easily, and maybe easier
for load balancing. But it probably has its own overhead and drawbacks.
Well, enough for first time...
--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il