[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux Firewall
For the last new firewall I've installed I've used a stock Mandrake 8.0 and
then ran Bastille on it. it's very easy to use Bastille to create a
relativly complicated and full featured firewall (including SNAT) and after
that you can easily customize the rules saved in the sysconfig (if you
understand the iptables format , which is fairly straight-foward).
"Hardening" the distro is also relativly painless as Mandrake has a lot of
security patches out of the box, and with 8.1 we're gonna get libsafe back.
I think that unless you're going uber-secure (and I don't think that any but
the really big players should need that), and assuming you know what you're
doing, using a run-of-the-mill out of the box distro is more then enough -
what most 'firewall dedicated distros' do, is supposedly save you some time
securing prephiral things, like making sure no unneeded daemons running, and
maybe providing a nice firewall-script-building interface. I don't think its
worth the effort. basicly, I believe that "know your turf" is more important
then "let's clickity-click our way to the finish button", especially when
doing firewalls, and a dedicated distro somewhat compromises that.
Although - if you're into dedicated distro, take a look at Mandrake's SNF
(yes, I'm a Mandrake fanatic - just shoot me ;-)
Oded
P.S.
Instead of SNAT, I usually prefer using xinetd to do the port forwarding for
me. that allows me to keeps things like that out of the firewall script (and
keeping it simple) and also use tcpwrappers on all incoming ports from a
central location.
--
ignisecond, n:
The overlapping moment of time when the hand is locking the car
door even as the brain is saying, "my keys are in there!"
-- Rich Hall, "Sniglets"
----- Original Message -----
From: "Eli Marmor" <marmor@netmask.it>
To: "linux ILUG" <linux-il@linux.org.il>
Sent: Sunday, September 16, 2001 11:23 PM
Subject: Re: Linux Firewall
> Tzafrir Cohen wrote:
>
> > On Sun, 16 Sep 2001, Eli Marmor wrote:
>
> > > 1. Standard Distros, after being hardened (i.e. RH/Mdk) vs. dedicated
> > > FW distros (LRP/Coyote/Devil/floppyfw/smoothwall) vs. another
> > > solution (?); What would you prefer?
> >
> > BTW: speaking of standard distros, I saw this week in freshmeat aXon
linux
> > http://www.axonlinux.org/ (warning: version pre-1.0, and site loaded
with
> > hype and poor on documentation)
>
> Looks cool...
> However, while it may be a perfect replacement for home residential
> gateway or SOHO Internet appliance, it can't replace a business FW.
> In a business, you would want to divide the jobs of that server between
> 3 separate machines: One as the office server (SAMBA/FAX/etc.), one as
> an external server (DMZ) (WEB/DNS/etc.), and one as a minimalistic
> router/firewall. I'm afraid that there is a danger in putting jobs like
> Samba and e-mail (and even a Swiss cheese like IMP!!!) in the router/FW
> machine.
>
> > Some of those scripts try to go beyond a simple script, and becode a
more
> > complete system (e.g: what http://seawall.sourceforge.net/ is trying to
> > present itself as).
>
> No iptables support (2.2-based...).
>
> > Is there any such "script" that looks like a relatively complete system?
>
> >From my little "research", I got to the following conclusion:
>
> Instead of taking an (easily breakable) complex distro and using
> advanced tools to configure FW, you should take the most minimalistic
> distro you can (but with 2.4 kernel). As to ease of configuration - you
> should not worry; Tools like Firewall-Builder, can be run from other
> machines, and only their generated output should be taken and copied to
> the target machine, so the target can be really minimalistic, and you
> don't need X/GNOME/etc., although the tool you use requires it.
>
> > > 3. NAT (Network Address Translation, or IP Masquerading) is usually
used
> > > to hide clients (DNAT) and not DMZ/servers (SNAT). Would you use
SNAT
> > > too? IMHO, its advantages are the ease of replacing ISP and/or IPs
/
> > > classes, as well as the option to divide different services of the
> > > same host (FTP/http/etc.) between different physical machines, and
its
> > > disadvantage is more overhead (?). As to security, I don't have any
> > > idea if SNAT adds any security, since the servers remain accessible
> > > from outside (under control, of course...).
> >
> > Depends what sort of access. If you only forward, say, ports 80 and 25
of
> > some server then most of its ports are not accessible from the outside
> > world, and a remote attcker won't be in a position to exploit the latest
> > proftpd hole.
> >
> > This is before even adding a single packet-filtering rule on the server
> > itself.
>
> So - what is your recommendation?
> And does SNAT add any overhead?
>
> Thanks,
> --
> Eli Marmor
> marmor@netmask.it
> CTO, Founder
> Netmask (El-Mar) Internet Technologies Ltd.
> __________________________________________________________
> Tel.: +972-9-766-1020 8 Yad-Harutzim St.
> Fax.: +972-9-766-1314 P.O.B. 7004
> Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il