[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Linux Firewall
- To: linux ILUG <linux-il(at-nospam)linux.org.il>
- Subject: Linux Firewall
- From: Eli Marmor <marmor(at-nospam)netmask.it>
- Date: Sun, 16 Sep 2001 19:40:02 +0200
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Organization: Netmask (El-Mar) Internet Technologies
- Sender: root(at-nospam)main.aquanet.co.il
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hi,
I already asked this question a few days ago, but - no answer, probably
due to a too long and unclear question:
I want to hear what is your experience and/or knowledge with Linux
firewalls:
1. Standard Distros, after being hardened (i.e. RH/Mdk) vs. dedicated
FW distros (LRP/Coyote/Devil/floppyfw/smoothwall) vs. another
solution (?); What would you prefer?
2. In case you prefer "dedicated" FW distros, which is the best?
(LRP/Coyote/Devil/floppyfw/smoothwall/etc.)
Is it true that 2.4 support is important (for iptables)?
(If it's true, then only Devil-Linux and maybe one other are relevant)
What is the best way to distribute the I/O between the disks?
(IMHO, the best is to use a bootable CDR, with /etc mounted from a
write-protected floppy that is enabled for writing only when needed to
be re-configured, and possibly a /var on HD or networked-syslog; Do
you share my opinion? )
3. NAT (Network Address Translation, or IP Masquerading) is usually used
to hide clients (DNAT) and not DMZ/servers (SNAT). Would you use SNAT
too? IMHO, its advantages are the ease of replacing ISP and/or IPs /
classes, as well as the option to divide different services of the
same host (FTP/http/etc.) between different physical machines, and its
disadvantage is more overhead (?). As to security, I don't have any
idea if SNAT adds any security, since the servers remain accessible
from outside (under control, of course...).
(in case you are curious what I'm going to do with it: A 4-legged router,
with external connections to FR and ADSL, and internal to LAN and DMZ; It
seems that 2.4 is a must for me, because of the "established" feature)
Thanks for your opinions,
--
Eli Marmor
marmor@netmask.it
CTO, Founder
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il