[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'Generic' Firewall Rulesets?

Yes, ipchains rulesets are stateless. But there is a very nice user space
tool available, named spf (for "stateful packet filter") and available as
a package for debian unstable (woody), which can make your packet filter
stateful. The package can be easily recompiled for the stable
(potato) distribution, and works great. You have to put all your rules in
the spf configuration file, and it will take care of the rest. I
currently run it on the firewall of the institute I work in, and have
never had any problems with it, once I figured out how to properly
configure it. It will allow 2 important improvements over a stateless
firewall (well, actually one that has two consequences):

1) you don't have to leave static open ports for the answers to
allowed connections (big security improvement)

2) due to 1) you can prune a lot of unneeded rules, making the ruleset
very much easier to understand and maintain (simpler == more secure)

Now, having said that I use spf and can say only good things about it,
iptables is an even better approach: it introduces the notion of
"related" connections, which means that it will automatically let in
connections "related" to permitted ones, such as with active ftp, ssh
tunnelled displays etc.
This makes it a more powerful approach, even more unneeded rules can be
pruned, and the ruleset is again simpler and easier to understand and
maintain. But this implies running a 2.4.0-testX kernel, and I have had
mixed (very good and very bad) experiences with it. As a rule of the
thumb, I actually run 2.4.0-test10 on every computer on which it can
successfully boot and run without errors for more than an hour, and it is
apparently flawless, but on some PII boxen, for example, it kept giving
fp_exception errors and killing processes, eventually causing a lot of
damage. It did it immediately, though, so it was not a difficult problem
to spot.

To wrap it up, my "hands on" suggestion is:

1) if you want a rock stable firewall, go with kernel 2.2.x, spf and

2) if you can afford to test things a bit and to spend some time getting
things to run smoothly, go with kernel, with x>=10, and

Hope it helps, bye


Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>

OSSERVATORIO  ASTRONOMICO                                                
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

Reply to: