Re: firewall

To: debian-user@lists.debian.org
Subject: Re: firewall
From: Eike Lantzsch <zp6cge@gmx.net>
Date: Wed, 4 Jul 2012 08:21:10 -0400
Message-id: <[🔎] 201207040821.10855.zp6cge@gmx.net>
Reply-to: zp6cge@gmx.net
In-reply-to: <[🔎] CAG9cJm=YgTrfu7ayQFQH-7--iVUiMdEHE1sKYj7Ds7+k8_ZRhg@mail.gmail.com>
References: <[🔎] CAG9cJm=YgTrfu7ayQFQH-7--iVUiMdEHE1sKYj7Ds7+k8_ZRhg@mail.gmail.com>

OK, I see that this might be flamebait ...

On Tuesday 03 July 2012 23:19:06 lina wrote:
> Hi,
> 
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should
> choose.
> 
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.
> 
> Best regards,

It seems that you want a firewall on the computer which you are working with.
As regards to closing unnecessary ports or limiting them to localhost, Joe 
gave good advice already.

Some may call me a security paranoid and a control freak but ...

I'm afraid that learning about IPtables is necessary before one is able to 
appreciate what the higher layer of administration s/w does to it.
A firewall frontend may deceive you into thinking that you have full control 
over the firewall while it does things that the frontend developer THINKS you 
want - but do you?
e.g. For some years I was using Webmin to maintain my servers until it did 
atrocious things to my Samba configuration. Now I'm a lot more wary and double 
check against the config files. Backups and etckeeper (using git) help to 
avoid catastrophies.

I personally do not think much of firewalls which reside on the same machine 
which I want to protect. I'd choose an older PC to play with and install 
OpenBSD on it. Then setup a firewall - you might even have a look at a 
bridging firewall if you want to make it invisible to the network. As long as 
you have keyboard and screen access to the machine you won't need a third 
network port for maintenance. Although it comes in handy for upgrades.

http://www.openbsd.org/faq/faq6.html#Bridge
http://bio3d.colorado.edu/tor/sadocs/tcpip/bridge.html#what%20is%20a%20bridging%20firewall
see also: Firewalling with OpenBSD’s PF packet filter
Peter N. M. Hansteen
To get started with OpenBSD
"Secure Architectures With OpenBSD" by Palmer and Nazario

The OpenBSD documentation is excellent and very helpful. Later when everything 
is working as planned and if I'm tight on office space I'd get one of those 
Soekris boxes or similar and install my firewall there. Then you can tuck it 
safely under your desk.

I once tried out a GUI to handle my OpenBSD firewall but gave it up and I do 
prefer editing the pf.conf file with vim.

I installed Denyhosts on the firewall as well. There is no OpenBSD port for it 
but setup is easy with the Denyhosts documentation.
It is quite funny to see all the attempts to break into your box on port 22. 
Changing SSH to another port quiets this immediately.

Kind regards
Eike

Reply to:

Follow-Ups:
- Re: firewall
  - From: lina <lina.lastname@gmail.com>
- Re: firewall
  - From: Brian <ad44@cityscape.co.uk>

References:
- firewall
  - From: lina <lina.lastname@gmail.com>

Prev by Date: Re: aptitude update question
Next by Date: Re: Gnome 3 fallback not working with Silicon Motion GPU
Previous by thread: Re: firewall
Next by thread: Re: firewall
Index(es):
- Date
- Thread