Re: Firewall Startup Configuration files
Peter Robb wrote:
Yes, but the closer you keep your system to the standard, the
less will the pain be.
Well this is my opinion on how to run a linux firewall, as well
as most linux servers.
1. Make a plain simple, stupid, no frills installation.
2. Change a minimum of configuration files and document these
This puts a lot of restrictions on how much you can change the
startup script, thats the origin of my first question.
I beleive it is quite easy to configure your firewall in the
first place, but you run into quite a lot of trouble when you
need to upgrade it.
I want to install and configure once and somewhat forget.
It has been a royal pain to upgrade my current RedHat firewall
with iptables and kernel security patches.
I don't believe anyone will ever get away from that problem..
If you do a kernel you need to reboot..
And maybe recompile kernel modules to match...
I believe that all your applications that reside on the firewall
shall be secure, or at least updated within a day from a security
alert. This will protect us from everybody except a few that are
impossible to stop anyway.
With secure applications will your firewall be quite secure
anyway during the brief period from the start of the interfaces
to the loading of the firewall rules.
Yes, but once it may happen that there is a problem with one interface
> or service starting which can make this delay a very long
Yes, you are right!
By the way NAT and DNAT does not protect you from evil neighbours
at your ISP. One of my internal networks was earlier 192.168.1.0/24.
An evil neighbour can send a source routed package to my gateway
further on to one of my internal machines...
No the ISP does not filter out these addresses, because it is not
possible in their DSL equipment.
That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file
Is this good enough?
If the evil person has good adress A and sends a packet to your
internal host B via your firewall C.
The packet from A will appear at interface a of C, with a fully
valid sender address and fully valid recipient address B.
I don't understand why the rp filter should reject it.