[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall for use with cable modem?

Manegold <manegold@uni-trier.de> writes:
> ktb wrote:
> > 
> > On Wed, Dec 20, 2000 at 12:02:14AM +0000, Phillip Deackes wrote:
> > > I have spent much of the day getting more and more confused about
> > > firewalls and Linux. I am having a cable modem installed soon and want my
> > > system to be secure. I have only the one computer, and am running Woody.
> > >
> > > Is there a free (or low-cost) firewall which will work on Debian? I don't
> > > feel confident enough to be messing with ipchains and such. I had a look
> > > at Storm Firewall, but this is expensive at 99USD and seems way over the
> > > top for what I would need on a single workstation.
> > >
> > > I downloaded gfcc, but don't understand what to do with it. I have read
> > > the Firewall HOWTO but I really don't grasp much of it. I am embarassed to
> > > admit that I really want an out-of-box solution - something I can install
> > > and perhaps tweak a little as I get more confident. I don't do anything
> > > out of the ordinary on the Internet, just the usual mail, news and web. I
> > > occasionally use ReadAudio and ftp, but not a lot else.
> > >
> > >
> >         Install something like "pmfirewall" or "seawall."  I've used
> >         pmfirewall before and it is simple to set up.  Basically what
> >         these two scripts do is write ipchains rules for you based on
> >         some of the questions you answer.  I don't have any urls' handy
> >         but they should be easy to find.  After installing your chains
> >         take a look at them and learn from them.  One other thing you
> >         might think about is getting a cheap or free 486 and make it
> >         your firewall.
> >         hth,
> >         kent
> 
> I used pmfirewall too, but the problem with it is, that it only blocks
> certain things it knows about. The default stand is allow (!). In my
> opinion that is not so good. It should be deny unless the port is
> explicitly opened up. I think that this would be possible via a script
> setup too and much better. I don't know "seawall". Maybe that does it
> better.
> However, if you don't want to learn at least something about ipchains
> and some basics about what a firewall can do, then maybe it is ok. But
> then you will not know, how much security you got.

I think you may be mistaken on this point. The policy PMFirewall
defaults to is ACCEPT but, at least on my installation, the last rule,
in my input chain, is:

target     prot opt     source                destination        ports
 .
 .
 .
DENY       all  ----l-  0.0.0.0/0            0.0.0.0/0             n/a

I'm no ipchains expert, but I believe that this rule implies that if
none of the previous rules caused the packet to be accepted it'll be
denied here.

Now personally in addition to leaving the rule above as the last one
in my input chain I set the policy to DENY, just as a precaution,
but, I *think*, it's redudant given the rule above.

And of course the nice thing about a script approach like PMFirewall
is that it's easy to modify as you learn more about ipchains.

Gary
Reply to: