Re: firewall
OK, I see that this might be flamebait ...
On Tuesday 03 July 2012 23:19:06 lina wrote:
> Hi,
>
> I don't know which firewall (http://wiki.debian.org/Firewalls) I should
> choose.
>
> Thanks ahead for recommendation, and it will be very nice if you tell
> me why you recommend this one.
>
> Best regards,
It seems that you want a firewall on the computer which you are working with.
As regards to closing unnecessary ports or limiting them to localhost, Joe
gave good advice already.
Some may call me a security paranoid and a control freak but ...
I'm afraid that learning about IPtables is necessary before one is able to
appreciate what the higher layer of administration s/w does to it.
A firewall frontend may deceive you into thinking that you have full control
over the firewall while it does things that the frontend developer THINKS you
want - but do you?
e.g. For some years I was using Webmin to maintain my servers until it did
atrocious things to my Samba configuration. Now I'm a lot more wary and double
check against the config files. Backups and etckeeper (using git) help to
avoid catastrophies.
I personally do not think much of firewalls which reside on the same machine
which I want to protect. I'd choose an older PC to play with and install
OpenBSD on it. Then setup a firewall - you might even have a look at a
bridging firewall if you want to make it invisible to the network. As long as
you have keyboard and screen access to the machine you won't need a third
network port for maintenance. Although it comes in handy for upgrades.
http://www.openbsd.org/faq/faq6.html#Bridge
http://bio3d.colorado.edu/tor/sadocs/tcpip/bridge.html#what%20is%20a%20bridging%20firewall
see also: Firewalling with OpenBSD’s PF packet filter
Peter N. M. Hansteen
To get started with OpenBSD
"Secure Architectures With OpenBSD" by Palmer and Nazario
The OpenBSD documentation is excellent and very helpful. Later when everything
is working as planned and if I'm tight on office space I'd get one of those
Soekris boxes or similar and install my firewall there. Then you can tuck it
safely under your desk.
I once tried out a GUI to handle my OpenBSD firewall but gave it up and I do
prefer editing the pf.conf file with vim.
I installed Denyhosts on the firewall as well. There is no OpenBSD port for it
but setup is easy with the Denyhosts documentation.
It is quite funny to see all the attempts to break into your box on port 22.
Changing SSH to another port quiets this immediately.
Kind regards
Eike
Reply to:
- References:
- firewall
- From: lina <lina.lastname@gmail.com>