Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe
mailserver and a DNS on a server. What rules do you want to apply to
the packets etc.?
I would suggest to keep the open ports restricted, check for all
current updates regularly (subscribe to several mailinglists etc.)
and I guess that would be far enough. What other things does a
firewall have to offer? It's good if you want to protect e.g. a
network but for a single server I doubt it's that interesting or
useful.
What do others think?
On 19 Mar 2003 at 16:07, Ian Garrison wrote:
> Imo iptables is a reasonably good stateful firewall and is fine in
> most
> cases. However, a very wise person once said that the ideal setup is
> to layer more than one implementation of packet filter and firewall
> between the wild and a host/network you wish to protect. Ideally
> implementations on diverse platforms.
>
> One example for consideration is a cisco packet filter (acls) that
> may
> allowed fragmented packets to traverse its filters, but once passed on
> to an iptables ruleset might get discarded because iptables was
> written seperately from cisco's implementation and happens to catch
> this case and a few other cases that were missed. Make your network
> an onion if you can engineer a method to easily manage your rules.
>
> That said, I use only iptables to filter my home network and either
> it
> is doing a great job or nobody is interested in attacking my host
> (likely both). For me, it does the job as nothing is revenue
> generating for myself or others -- its important, but not critical.
> If I had a client that wanted to sell stuff on the web and handling
> ccard ordering of a product, as well as all their corporate email,
> then I would be more thoughtful of additional measures to protect the
> network. In my work environment every so often developers or others
> turn off our iptables rulesets without telling us, as it is easy (one
> little command). In such cases the cisco packet filter will offer
> some protection and disabling such filters is more work than our
> developers care to struggle against.
>
> Iptables/ipf and any other stateful firewall that attempts to be a
> modern contender in the firewalling ring is likely 'good enough'. My
> point is that while I like iptables, it and every other filter out
> there will fall subject to some method of circumvention/exploitation
> at some point, and that how much effort you put into hardening your
> network is up to you. Your question almost seems to be "is iptables
> developed enough to compete with commercial solutions", to which I
> would say "yes, if the person deploying the rules is experienced
> enough to write a solid set of rules". If I was you, I would be
> satisfied with iptables and the hardware you have selected -- but I am
> not you, and this decision is not mine to make. No matter where you
> set the bar there will still be more secure solutions. "secure
> enough" is all a state of paranoia and budget. :)
Reply to: