Re: Linux firewall/IDS/NAT suggestions
From: J Norfleet (jnorfleet_at_picusnet.com)
To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>, firstname.lastname@example.org Date: Sat, 31 May 2003 02:18:05 -0400
On Friday 30 May 2003 11:54 am, Petty, Robert wrote:
Just to add a few things.
> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
MHO. Go with 2.4 and iptables (Stateless firewall), for reasons mentioned
> Should snort be running on the firewall machine or another machine? If on
> another machine, should I put the firewall and IDS box on a hub as the
> first hop so they both see the same traffic? The customer's router is not
> manageable (linksys) and they have no budget for a Cisco Router or PIX.
> The Linux box will serve as a secondary NAT layer, any pitfalls with this?
iptables handles NAT'ing between interfaces, controling of DMZ's, etc. If I
understood the question right?
> Should SSH go to the firewall machine or be passed through to an internal
> Linux box?
Through iptables, you can specify traffic on a certain interface (eth0), for a
set port (22), from a certain host (22.214.171.124). Then there's tcp wrappers.
> Should the NAT and Firewall rules be written and maintained on CD-R media
> so a malicious attacker cannot hide rule changes? Should the firewall be
> re-initialized on a schedule to ensure the live rules are those from the
> read-only media?
I've heard of the whole linux OS and firewall running off a CD. (Trinux has a
few ISO's :)
> Last, but not least, what's a good HowTo that can be used as a basis? I
> would prefer one that starts off a little more strict so I can simplify
> rather than have to bone up on all of the current vulnerabilities.
> Thanks for any replies!