Re: IPChains vs Cisco IOS Packer Filters
On Thu, 12 Apr 2001, Eugene van Zyl wrote:
> Can anyone tell me whether the Packet Filter on the Cisco IOS does
> statefull packet inspection ? and whether I'll be losing by replacing
> it with IPChains on Kernel 2.2.17?
I don't know about Cisco IOS, but ipchains is *not* stateful. If you want
stateful packet filtering on a 2.2.x kernel (avoid versions earlier than
2.2.19, some security problems were fixed in that release) have a look at
spf, it is a debian package and is available both in testing and unstable
distributions. However, the package compiles happily on a stable
debian distribution, and I have had it running without a glitch for about
2 years on the firewall of the institute I work in.
> Biggest reason being I know nothing about the Cisco IOS and it's also
> a leased router to which I don't have telnet or console access (only
> the ISP's net is allowed access to) and I keep on needing to alter
> rules and it's a bugger having to wait for the ISP to respond to
> requests :-(
>
> PS. What resources are availble on the net on configuring and running
> a Linux IPChains firewall ? (other that the HOWTO of course :-) )
If you will be creating from scratch a computer for that purpose, I
recommend the following:
- install a stable debian distribution on the computer that will be your
firewall, stripped to the bare necessary for it to run and for you to be
able to administer it; in particular, be sure to disable any service that
you will not need (I have none on my firewall, no user accounts, and only
root access from the console is allowed)
- install a 2.4.x kernel with native (netfilter) firewalling and bridging
enabled, along with the few packages from unstable/testing which are
needed for it to work in a stable distribution
- configure transparent bridging on your firewall, so that you can, to
begin with, insert it between your router and your network without causing
any harm to the network traffic; actually, nobody should even notice it is
present...
- configure stateful packet filtering using the native 2.4.x firewalling
capabilities (i.e. using the iptables command); put all the necessary
commands in a shell script, put the script in /etc/init.d and put soft
links to it in /etc/rcS.d; give it a higher priority than networking, so
that your filtering rules will be in place in the boot process *before*
the network is up, so that your network is never open to attacks, not even
for a few seconds
- (unnecessary, but recommended) install some intrusion detection system
on your firewall, such as snort.
- (vital) always keep your firewall up to date with security alerts and
patches
This is a bit terse, not quite an HOWTO but should get you started...
Bye
Giacomo
_________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________
OSSERVATORIO ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 216 Fax : +39 070 71180 222
_________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
_________________________________________________________________
Reply to: