Re: is iptables enough?
Imo iptables is a reasonably good stateful firewall and is fine in most
cases. However, a very wise person once said that the ideal setup is to
layer more than one implementation of packet filter and firewall between
the wild and a host/network you wish to protect. Ideally implementations
on diverse platforms.
One example for consideration is a cisco packet filter (acls) that may
allowed fragmented packets to traverse its filters, but once passed on to
an iptables ruleset might get discarded because iptables was written
seperately from cisco's implementation and happens to catch this case and
a few other cases that were missed. Make your network an onion if you can
engineer a method to easily manage your rules.
That said, I use only iptables to filter my home network and either it
is doing a great job or nobody is interested in attacking my host (likely
both). For me, it does the job as nothing is revenue generating for
myself or others -- its important, but not critical. If I had a client
that wanted to sell stuff on the web and handling ccard ordering of a
product, as well as all their corporate email, then I would be more
thoughtful of additional measures to protect the network. In my work
environment every so often developers or others turn off our iptables
rulesets without telling us, as it is easy (one little command). In such
cases the cisco packet filter will offer some protection and disabling
such filters is more work than our developers care to struggle against.
Iptables/ipf and any other stateful firewall that attempts to be a
modern contender in the firewalling ring is likely 'good enough'. My
point is that while I like iptables, it and every other filter out there
will fall subject to some method of circumvention/exploitation at some
point, and that how much effort you put into hardening your network is up
to you. Your question almost seems to be "is iptables developed enough to
compete with commercial solutions", to which I would say "yes, if the
person deploying the rules is experienced enough to write a solid set of
rules". If I was you, I would be satisfied with iptables and the hardware
you have selected -- but I am not you, and this decision is not mine to
make. No matter where you set the bar there will still be more secure
solutions. "secure enough" is all a state of paranoia and budget. :)
-ian
On Wed, 19 Mar 2003, Jones wrote:
> I am planning to replace a (dead) Windows 2000 computer that was used
> as a web server and email server with a Debian Linux solution. This
> machine is connected to the net via DSL and would run apache and
> exim/qpopper and sshd. Everything else would be turned off. It is a
> small church and their current site is not very busy, but she says
> they do get a lot of email.
>
> Am I right in assuming that iptabes is enough as a firewall solution
> and that I would not need to buy any additional software. That is
> what I understand from my past experience with Debian/iptables as a
> server and from the files at debian.org security howto at
> (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)
>
> On a less related note, what hardware config would you recommend for
> such a system? She has a number of machines that I could choose
> from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10
> GB IDE hard drives. After increasing the RAM to 512MB, I think this
> should more than adequate for a system doing nothing but HTTP and
> SMTP/POP requests.
>
> thanks
> jmb
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>
Reply to: