[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: simple stand-alone firewall

Russell L. Harris <rlharris@broadcaster.org> wrote:
> From the standpoint of protection of a LAN (two or three machines)
> for a home or home office, how effective is a firmware-based
> firewall/router in comparison with a software-based stand-alone
> firewall/router?  Is either significantly better than the other?

Firmware based will probably be on a lower-powered device - and therefore
more energy friendly. You should be able to get one that is sufficiently
sophisticated to handle pretty much all your SoHo needs.

> I am thinking in terms of devoting an old computer (200 MHz Pentium)
> to the task of firewall/router.

Plenty sufficient.

> Is there a good firewall application in Debian which provides a secure
> default configuration?  Or must I learn how to configure a firewall?

I'm not aware of a firewall application that provides a default secure
configuration. (That could be as harsh as "nothing in, nothing out",
or a little more relaxed such as "nothing in, anything out". It depends
on your requirements.)

My preference is shorewall, but that's not GUI based and you do need
to understand firewalls "enough" to make some sensible decisions. I've
tried to use fwbuilder in the past but I couldn't get my head around
how to make the GUI do what I wanted. The shorewall website has some
pretty good worked examples for different scenarios.

A really simple "nothing in, anything out" for a end-point workstation
can be defined like this -

  # Erase the rules associated with the INPUT chain
  iptables -F INPUT

  # Allow in anything that is part of a known connection
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Put other ALLOW rules here
  # e.g. inbound to tcp port 80: iptables -A INPUT -p TCP --dport 80

  # Reject anything else coming in via eth0
  iptables -A INPUT -i eth0 -j REJECT

But it gets more complicated if you're going to route from one interface
to another - which is why a "default" ruleset isn't always one that's
going to work. For starters, you need to define which interface is
"external" and which one(s) are "internal".


Reply to: