Re: is iptables enough?

To: Ian Garrison <bitstream@technoendo.net>
Cc: debian-security@lists.debian.org
Subject: Re: is iptables enough?
From: "Stefan Neufeind" <stefan@neufeind.net>
Date: Wed, 19 Mar 2003 23:01:32 +0100
Message-id: <[🔎] 3E78F6CC.1963.D9E0A5@localhost>
In-reply-to: <[🔎] Pine.LNX.4.50.0303191523570.12432-100000@athena.technoendo.net>
References: <a05200f00ba9e6f203add@[192.168.63.11]>

What I find astonishing: Let's say you are running a webserver, maybe 
mailserver and a DNS on a server. What rules do you want to apply to 
the packets etc.?

I would suggest to keep the open ports restricted, check for all 
current updates regularly (subscribe to several mailinglists etc.) 
and I guess that would be far enough. What other things does a 
firewall have to offer? It's good if you want to protect e.g. a 
network but for a single server I doubt it's that interesting or 
useful.


What do others think?

On 19 Mar 2003 at 16:07, Ian Garrison wrote:

>    Imo iptables is a reasonably good stateful firewall and is fine in
>    most
> cases.  However, a very wise person once said that the ideal setup is
> to layer more than one implementation of packet filter and firewall
> between the wild and a host/network you wish to protect.  Ideally
> implementations on diverse platforms.
> 
>    One example for consideration is a cisco packet filter (acls) that
>    may
> allowed fragmented packets to traverse its filters, but once passed on
> to an iptables ruleset might get discarded because iptables was
> written seperately from cisco's implementation and happens to catch
> this case and a few other cases that were missed.  Make your network
> an onion if you can engineer a method to easily manage your rules.
> 
>    That said, I use only iptables to filter my home network and either
>    it
> is doing a great job or nobody is interested in attacking my host
> (likely both).  For me, it does the job as nothing is revenue
> generating for myself or others -- its important, but not critical. 
> If I had a client that wanted to sell stuff on the web and handling
> ccard ordering of a product, as well as all their corporate email,
> then I would be more thoughtful of additional measures to protect the
> network.  In my work environment every so often developers or others
> turn off our iptables rulesets without telling us, as it is easy (one
> little command).  In such cases the cisco packet filter will offer
> some protection and disabling such filters is more work than our
> developers care to struggle against.
> 
>    Iptables/ipf and any other stateful firewall that attempts to be a
> modern contender in the firewalling ring is likely 'good enough'.  My
> point is that while I like iptables, it and every other filter out
> there will fall subject to some method of circumvention/exploitation
> at some point, and that how much effort you put into hardening your
> network is up to you.  Your question almost seems to be "is iptables
> developed enough to compete with commercial solutions", to which I
> would say "yes, if the person deploying the rules is experienced
> enough to write a solid set of rules".  If I was you, I would be
> satisfied with iptables and the hardware you have selected -- but I am
> not you, and this decision is not mine to make.  No matter where you
> set the bar there will still be more secure solutions.  "secure
> enough" is all a state of paranoia and budget.  :)

Reply to:

Follow-Ups:
- Re: is iptables enough?
  - From: Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch>

References:
- is iptables enough?
  - From: Jones <jones_mb@yahoo.com>
- Re: is iptables enough?
  - From: Ian Garrison <bitstream@technoendo.net>

Prev by Date: Re: is iptables enough?
Next by Date: Re: is iptables enough?
Previous by thread: Re: is iptables enough?
Next by thread: Re: is iptables enough?
Index(es):
- Date
- Thread