Re: firewall (fwd)
On Sun, Oct 01, 2000 at 03:50:04PM +0200, mario wrote:
> firstname.lastname@example.org wrote:
> > Has anyone found making a debian machine with firewall support useful?
> Yes, very much so
> > What are firewalls useful for? Do they simply prevent packets from passing
> > through the firewall into the rest of the network?
> It depends. "Firewall" can mean different things:
> It may be a packet filtering firewall which does what you think it does.
> This functionality is built into the kernel (needs a recompile,
> probably). The interface to change its behavior is ipchains (for the
> 2.2.x-kernel, 2.0.x and 2.4.x use other means), i.e. you write a shell
> script that gets executed in a runlevel, which sets your config.
> Another type of firewall is a proxying firewall. There is a package
> called SOCKS that does this (maybe others too). Proxies work on the
> application level, IIRC, and so can know things that apacket filtering
> firewall can't know. They need the ability to use the proxy compiled
> into client programs too, though.
> > Would a firewall
> > necessarly have to be also configured to be a router?
> Again, it depends. A proper firewall should be a standalone machine
> without user accounts, without network services running and with as
> little SW as possible installed (no compilers, ...). If behind the
> firewall you have a network then, yes, it can do routing, too. It can
> also do IP masquerading. Note that there are much more sophisticated
> setups with "demilitarized zones" around the firewall and all kinds of
> stuff. What to build depends on your security requirements.
> OTOH, you can have packet filtering enabled on a standalone workstation
> with dial-up or cable/dsl access. No routing in this case, of course.
> This way, you at least can stay out of random script-kiddie portscans
> (or your cable provider's scans). It's also great to be able to control
OH? Why would my cable modem provider scan my box? What would they be looking
Even though I didn't ask the question, thanks for the info Mario!
> what's allowed to go /out/, e.g., when you're configuring network stuff
> and don't want your MTA to send mail to email@example.com instead to
> root@localhost :o)
> Note that you should never rely on firewall security alone, but have
> your services configured properly, too (tcp wrappers, etc.). You don't
> want your machines completely open when the firewall is compromised.
> > Any info you guys
> > can provide would be useful. I was thinking about making one of my debian
> > machies a firewall, but don't really know what I would do with it:)
> I recommend the book Linux Firewalls by Robert L. Ziegler, New Riders,
> ISBN 0-7357-0900-9. He has also a webpage
> http://www.linux-firewall-tools.com/ with lots of info and a nifty tool
> where you answer questions and it will generate a firewall script for
> you. If you're security requirements are modest, this is maybe all you
> need. There are other books too, like Building OpenBSD and Linux
> Firewalls (IIRC), but I don't know them.
> There are also some GUI firewall tools for gnome, like firestarter and
> others (see www.gnome.org), probably for KDE, too. Note, however, that
> at least firestarter is AFAIK made to work with RedHat, so it needs a
> bit tweaking to work with the debian way of init.
> Very good reading is also Securing and Optimizing Linux,
> http://www.openna.com/books/book.htm Note that it's for RedHat, but it's
> easy to apply it to debian
> A nice exercise is to scan/attack your machine/network from the outside
> before and after the firewall is in place. If you're lazy ;o) a quick
> way to get a portscan on the well known ports done is to use Shields Up!
> at http://www.grc.com/ (disable your isp's proxy in your browser
> settings before, otherwise not you but your isp's proxy will be
> scanned!). You want it to report "stealth" for every port you don't need
> available from the outside
> Hope this helps (well, I'm sure)
> I did not vote for the Austrian government
> Linux: The choice of a GNU generation. Visit http://www.gnu.org/
> Unsubscribe? mail -s unsubscribe firstname.lastname@example.org < /dev/null