Re: Linux firewall/IDS/NAT suggestions

• Previous message: Wallwork, Nathan: "Re: deny deleting a file for users.. trying a solution"
• Maybe in reply to: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
• Next in thread: Mark Hazell: "Re: Linux firewall/IDS/NAT suggestions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>, focus-linux@securityfocus.com
Date: Sat, 31 May 2003 02:18:05 -0400

On Friday 30 May 2003 11:54 am, Petty, Robert wrote:
-snip-

Just to add a few things.

> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

MHO. Go with 2.4 and iptables (Stateless firewall), for reasons mentioned
before

> Should snort be running on the firewall machine or another machine? If on
> another machine, should I put the firewall and IDS box on a hub as the
> first hop so they both see the same traffic? The customer's router is not
> manageable (linksys) and they have no budget for a Cisco Router or PIX.
>
> The Linux box will serve as a secondary NAT layer, any pitfalls with this?

iptables handles NAT'ing between interfaces, controling of DMZ's, etc. If I
understood the question right?

> Should SSH go to the firewall machine or be passed through to an internal
> Linux box?

Through iptables, you can specify traffic on a certain interface (eth0), for a
set port (22), from a certain host (1.2.3.4). Then there's tcp wrappers.

> Should the NAT and Firewall rules be written and maintained on CD-R media
> so a malicious attacker cannot hide rule changes? Should the firewall be
> re-initialized on a schedule to ensure the live rules are those from the
> read-only media?

I've heard of the whole linux OS and firewall running off a CD. (Trinux has a
few ISO's :)

> Last, but not least, what's a good HowTo that can be used as a basis? I
> would prefer one that starts off a little more strict so I can simplify
> rather than have to bone up on all of the current vulnerabilities.

http://www.linuxguruz.com/iptables/howto/iptables-HOWTO.html
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html

>
> Thanks for any replies!
>
> Robert

np,
jnorfleet

• Previous message: Wallwork, Nathan: "Re: deny deleting a file for users.. trying a solution"
• Maybe in reply to: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
• Next in thread: Mark Hazell: "Re: Linux firewall/IDS/NAT suggestions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: firewall performance throughput between Linux and OpenBSD ... > The firewall is used to connect a private network to the internet. ... > ftp-proxy and the linux box does not. ... Running with a full pf rules file or the wideopen version ... > full rules file using iptables. ... (comp.unix.bsd.openbsd.misc) Re: [Full-Disclosure] PIX vs CheckPoint ... Like a few other comments already, I would also recommend using iptables -- ... it's a stateful inspection firewall that's included with every Linux ... VNU BUSINESS PUBLICATIONS LIMITED 32-34 Broadwick Street, London, ... (Full-Disclosure) Re: Configuring Linux as a Firewall ... Using iptables commands ... Simplifying things with firewall GUIs ... Linux enthusiasts have known for a long time: ... Making Installation Choices ... (rec.photo.digital) Re: Feedback solicited - best way to harden a mail/web server? ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ... (comp.os.linux.security) Re: Demand of PF CLI ... >> using the PF APIs directly, or providing such access in perl, python, ... >> style approach was taken to embrace other firewall solutions. ... > you mean this module could work for Linux iptables too. ... There is Linux's iptables, ipf on NetBSD and Solaris, ... (comp.unix.bsd.openbsd.misc)