Re: simple stand-alone firewall

To: debian-user@lists.debian.org
Subject: Re: simple stand-alone firewall
From: Chris Davies <chris-usenet@roaima.co.uk>
Date: Sat, 24 Mar 2012 12:17:50 +0000
Message-id: <[🔎] ekq049x72q.ln2@news.roaima.co.uk>
Reply-to: chris@roaima.co.uk
References: <[🔎] 20120324070242.GB2483@cromwell.tmiaf>

Russell L. Harris <rlharris@broadcaster.org> wrote:
> From the standpoint of protection of a LAN (two or three machines)
> for a home or home office, how effective is a firmware-based
> firewall/router in comparison with a software-based stand-alone
> firewall/router?  Is either significantly better than the other?

Firmware based will probably be on a lower-powered device - and therefore
more energy friendly. You should be able to get one that is sufficiently
sophisticated to handle pretty much all your SoHo needs.

> I am thinking in terms of devoting an old computer (200 MHz Pentium)
> to the task of firewall/router.

Plenty sufficient.

> Is there a good firewall application in Debian which provides a secure
> default configuration?  Or must I learn how to configure a firewall?

I'm not aware of a firewall application that provides a default secure
configuration. (That could be as harsh as "nothing in, nothing out",
or a little more relaxed such as "nothing in, anything out". It depends
on your requirements.)

My preference is shorewall, but that's not GUI based and you do need
to understand firewalls "enough" to make some sensible decisions. I've
tried to use fwbuilder in the past but I couldn't get my head around
how to make the GUI do what I wanted. The shorewall website has some
pretty good worked examples for different scenarios.

A really simple "nothing in, anything out" for a end-point workstation
can be defined like this -

  # Erase the rules associated with the INPUT chain
  iptables -F INPUT

  # Allow in anything that is part of a known connection
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Put other ALLOW rules here
  # e.g. inbound to tcp port 80: iptables -A INPUT -p TCP --dport 80

  # Reject anything else coming in via eth0
  iptables -A INPUT -i eth0 -j REJECT

But it gets more complicated if you're going to route from one interface
to another - which is why a "default" ruleset isn't always one that's
going to work. For starters, you need to define which interface is
"external" and which one(s) are "internal".

Chris

Reply to:

Follow-Ups:
- Re: simple stand-alone firewall
  - From: Charles Kroeger <ckrogrr@frankensteinface.com>
- Re: simple stand-alone firewall
  - From: Celejar <celejar@gmail.com>

References:
- simple stand-alone firewall
  - From: "Russell L. Harris" <rlharris@broadcaster.org>

Prev by Date: Re: Apt-pinning confusion
Next by Date: Re: USB drive spins up every hour
Previous by thread: Re: simple stand-alone firewall
Next by thread: Re: simple stand-alone firewall
Index(es):
- Date
- Thread