[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPChains vs Cisco IOS Packer Filters

On Thu, 12 Apr 2001, Eugene van Zyl wrote:

> Can anyone tell me whether the Packet Filter on the Cisco IOS does
> statefull packet inspection ? and whether I'll be losing by replacing
> it with IPChains on Kernel 2.2.17?

I don't know about Cisco IOS, but ipchains is *not* stateful. If you want
stateful packet filtering on a 2.2.x kernel (avoid versions earlier than
2.2.19, some security problems were fixed in that release) have a look at
spf, it is a debian package and is available both in testing and unstable
distributions. However, the package compiles happily on a stable
debian distribution, and I have had it running without a glitch for about
2 years on the firewall of the institute I work in.

> Biggest reason being I know nothing about the Cisco IOS and it's also
> a leased router to which I don't have telnet or console access (only
> the ISP's net is allowed access to) and I keep on needing to alter
> rules and it's a bugger having to wait for the ISP to respond to
> requests :-(
> PS. What resources are availble on the net on configuring and running
> a Linux IPChains firewall ? (other that the HOWTO of course :-) )

If you will be creating from scratch a computer for that purpose, I
recommend the following:

- install a stable debian distribution on the computer that will be your
firewall, stripped to the bare necessary for it to run and for you to be
able to administer it; in particular, be sure to disable any service that
you will not need (I have none on my firewall, no user accounts, and only
root access from the console is allowed)

- install a 2.4.x kernel with native (netfilter) firewalling and bridging
enabled, along with the few packages from unstable/testing which are
needed for it to work in a stable distribution

- configure transparent bridging on your firewall, so that you can, to
begin with, insert it between your router and your network without causing
any harm to the network traffic; actually, nobody should even notice it is

- configure stateful packet filtering using the native 2.4.x firewalling
capabilities (i.e. using the iptables command); put all the necessary
commands in a shell script, put the script in /etc/init.d and put soft
links to it in /etc/rcS.d; give it a higher priority than networking, so
that your filtering rules will be in place in the boot process *before*
the network is up, so that your network is never open to attacks, not even
for a few seconds

- (unnecessary, but recommended) install some intrusion detection system
on your firewall, such as snort.

- (vital) always keep your firewall up to date with security alerts and

This is a bit terse, not quite an HOWTO but should get you started...



Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

Reply to: