Re: Should I propose a Debian Firewall?
Tim Sailer wrote:
> On Mon, Nov 29, 1999 at 04:35:47PM +0000, Rene Mayrhofer wrote:
> > Kiss Csaba wrote:
> > > What type of your firewall ? Packet-filtering or proxy-based or
> > > statefull or other
> > In principle it is open to any concept.
> > We use a combination of packet-filtering (standard linux kernel) and
> > proxies (e.g. for ftp which is a nightmare to packet-filter).
> Which proxy package did you use? We (here at BNL) are looking at building
> a sitewide 'screened subnet' firewall. I'm having a hard time getting my
> mind around the proxies. We will have a bunch of machines running as proxy
> servers. Do you run all proxies on all servers? 1 proxy per server? Then,
> how do you know which one to go to?
I use squid on an own machine when security and performance are needed
or some really simple proxies when performance is not essential (there
is a ftp-bouncing only proxy whose name I don't remember - some time
since I used it, but I found it on freshmeat).
Most of the time I use masquerading and port forwarding techniques,
because most of my customers want transparency for the clients. The
administrators do not have the time to eplain everyone who wants to use
a real ftp client how to configure it to use a proxy server.
> > But if you use the sifi kernel module, you can have stateful inspection
> > as well (I hope that standard kernel 2.4.x will get a stateful
> > inspection module sometimes - maybe I will write one using the netfilter
> > API).
> Really? It looked like sifi was just packet filtering to me! What kernel
> are you running sifi with? I've tried 2.2.10-2.2.12, and it panics the
> kernel quite regularly...
I used sifi with a 2.0.x kernel sometime. As far as I know, sifi for
2.2.x kernel is still beta and I would not depend on it.
Sifi for 2.0.x seems to be a very well written piece of code, including
the concepts. But I dislike that it is not as flexible as the standard
kernel firewalling mechanism. Just one example: I wanted to manipulate
the firewalling rules from a script, not from the GUI - no easy way. You
have to create s config file and let sifi activate the rules from the
I will wait for kernel 2.4.x (x >= 5 :) ) for stateful inspection.
Really - the netfilter framework that will be introduced with 2.4.x
(it's already in 2.3.x - but for firewalls ?) is conceptually extremely
flexible. Stateful inspection can be done with a user level module as
far as I understand the documentation.