RE: Firewall options- which way to go

From: Burton M. Strauss III (bstrauss3@attbi.com)
Date: 10/15/02


From: "Burton M. Strauss III" <bstrauss3@attbi.com>
To: <security-basics@securityfocus.com>
Date: Tue, 15 Oct 2002 16:19:04 -0500

If all you want it to be, you're better off with a firewall-specific
distribution.

Two reasons...

1) the developers tend to focus on the firewall aspects, it's not an add-on
among 1000s of packages and services

and

2) (very important, IMHO) it's a perfect defense against overloading the
"available" Linux box with a lot of other services that might weaken it's
defenses...

     "Nope, sorry, can't do, it only works as a firewall.
      However, if you want a xxxx server, I'll be happy to
      build another Linux box and set it up in the (LAN | DMZ)
      for you"

I prefer the iptables approach - there are a lot more things you can do
(such as rate limiting, etc.)

And, re your Q3, if it's a purpose oriented distro, then you typically get
much better how to docs.

-----Burton

-----Original Message-----
From: Leon Pholi [mailto:L.Pholi@secureinteractive.com]
Sent: Sunday, October 13, 2002 7:33 PM
To: security-basics@securityfocus.com
Subject: Firewall options- which way to go

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am looking at options for setting up a Linux firewall for our
company. Although I am a relative newbie to Linux, I'm not afraid to
get my 'hands dirty' with IPTables etc.

I have a couple of questions and would appreciate all comments.

1) Is it better to use a purpose built distribution such as
Smoothwall, IPCop or firewall specific ones from Redhat, Mandrake,
SuSE etc, or, would it be better to use a standard distro & built it
from scratch (bearing in mind I haven't yet recompiled a kernel but
I'm willing to give that a go too)?

2) If building from scratch, kernel version 2.4 supports both
ipchains & iptables (newer)- does anyone have a strong view on using
one over the other?
If using a purpose built one, does anyone have any experienced based
preferences?

3) Other than just suggesting to do a google search, are there any
resources (a simple step by step howto would be good) you would
recommend for the suggested approach?

All help greatly appreciated. Thanks in advance.

Leon

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPaoQ+23X5duwk+XvEQKyUQCfcI+YuA2CoEgTKPdMkacPHhc0MWQAoKid
reavCfqXEnT7pygVQ+8nO9P4
=kL3I
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Security built in distribution
    ... > Are these distribution really secure to make a firewall and run some web ... The only people for me are the mad ones -- the ones who are mad to live, ... the ones who never yawn or say a commonplace thing, but burn, burn, burn ...
    (comp.os.linux.networking)
  • Re: Linux box as firewall
    ... I agree a firewall should not have installed services ... > distribution with which you don't install much crap ... Do You Yahoo!? ...
    (Security-Basics)
  • Re: Fedora Core 4 setup as nat
    ... you can filter (firewall) and NAT all within a nice GUI. ... configuration but there is no GUI to edit /etc/sysctl.conf and therefore ... Now, if routing is your goal, you might want to look at something else ... before using it into their business class distribution. ...
    (comp.os.linux.networking)
  • Re: which distribution to choose
    ... > I would like to set up a firewall to protect a small company network. ... > iptables firewalling and a secure distribution with some additional ... I suggest to have a look on Adamantix. ... convince you. ...
    (Focus-Linux)
  • Re: Firewall
    ... >> opinions on which distribution would be the best for that? ... > The firewall in Linux is called iptables and it's build into the kernel... ... As noted by others iptables is the firewall engine. ...
    (alt.os.linux)