Peter Robb wrote:
Yes, but the closer you keep your system to the standard, the less will the pain be.Well this is my opinion on how to run a linux firewall, as well as most linux servers. 1. Make a plain simple, stupid, no frills installation. 2. Change a minimum of configuration files and document these This puts a lot of restrictions on how much you can change the startup script, thats the origin of my first question. I beleive it is quite easy to configure your firewall in the first place, but you run into quite a lot of trouble when you need to upgrade it. I want to install and configure once and somewhat forget. It has been a royal pain to upgrade my current RedHat firewall with iptables and kernel security patches.I don't believe anyone will ever get away from that problem.. If you do a kernel you need to reboot.. And maybe recompile kernel modules to match...
I believe that all your applications that reside on the firewall shall be secure, or at least updated within a day from a security alert. This will protect us from everybody except a few that are impossible to stop anyway. With secure applications will your firewall be quite secure anyway during the brief period from the start of the interfaces to the loading of the firewall rules.Yes, but once it may happen that there is a problem with one interface
> or service starting which can make this delay a very long
time...
Yes, you are right!
By the way NAT and DNAT does not protect you from evil neighbours at your ISP. One of my internal networks was earlier 192.168.1.0/24. An evil neighbour can send a source routed package to my gateway further on to one of my internal machines... No the ISP does not filter out these addresses, because it is not possible in their DSL equipment.That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file
Is this good enough?If the evil person has good adress A and sends a packet to your internal host B via your firewall C. The packet from A will appear at interface a of C, with a fully valid sender address and fully valid recipient address B.
I don't understand why the rp filter should reject it. /Magnus