Re: Debian as My home firewall/router
Hi.
On Sat, 27 Feb 2016 09:41:47 -0800
David Christensen <dpchrist@holgerdanske.com> wrote:
> On 02/27/2016 06:22 AM, heqamilus wrote:
> > I know that is possible to build a firewall using Debian. I'm
> > searching for some tutorials, I need to know the system's utility to
> > configure Debian installation in this way. For example, manage
> > network interfaces, NAT, vlan and optionally DNS
> >
> > I'm able to do basic firewalling and install and use server
> > application.
>
>
> On 02/27/2016 08:49 AM, Reco wrote:
> > Please. "Out-of-the-box" IPCop (version 2.1.8 I just grabbed from
> > the Sourceforge) does have:
> >
> > 1) No meaningful DNSSEC capability.
> >
> > 2) Presence of libfontconfig.so *and* fonts for no good reason.
> >
> > 3) Bunch of questionable quality root-owner SUID binaries in
> > /usr/local/bin, intended to be called from Web-interface.
> >
> > 4) Lack of any pre-installed IDS.
> >
> > 5) Outdated kernel 3.4, configured *without* SELinux, Apparmor or
> > tomoyo support.
> >
> >
> > Oh, did I mention that *primary* download mirror for this
> > distribution is the Sourceforge?
> >
> > IPCop can be an interesting solution for a host on an internal
> > network, which nobody intends to poke, but suggesting putting *this*
> > to serve as a firewall from an Internet is a joke.
>
> You seem to know a fair amount about firewalls. Would you care to
> address the following questions?
>
> 1. Where can we learn about the features the OP wants, and how to
> implement them in Debian?
The only way way to learn all features the OP wants is to ask OP
himself (or herself, I cannot make it from the alias used).
The details of implementation of such features should be found
elsewhere for obvious reasons. I suggest Debian's wiki as a good
starting point.
> 2. Where can we learn about the features that you say IPCop is missing
> and/or the problems that you say IPCop has?
First, a good firewall host should not have anything that's unrelated
to its' primary function (i.e. filtering, routing, *maybe* tunnels). How
exactly a GUI font library and a bunch of assorted fonts are related to
this primary function is anyone's guess.
Second, one should not re-invent the wheel on privilege escalation.
Ditching a good instrument for this (sudo) in favor of own homegrown
suid binaries is a fine example of bikeshedding, if you ask me.
Third, a lack of DNSSEC support opens all kind of abuses for DNS
entries. Hence, if such host is to be used as FTP/HTTP/HTTPS gateway
(the presence of Squid in the distribution suggests such possibility),
the clients of such gateway can be lead anywhere given at most one
malicious DNS server on the outside.
Fourth, any host that communicates to the outside world will be
compromised. It's only a matter of time. Such time can be extended by
applying security updates *and* configuring some sort of mandatory
access control (SELinux for example).
Fifth, any host that communicates to the outside world will be
compromised. It's important to know how and when it'll happen. Hence
the need of IDS.
As for the Sourceforge itself - its reputation is forever tainted after
this:
http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp-updated
No amounts of "we're screwed up, sorry", "we're selling the site" will
fix it.
> 3. What is your opinion of pfSense?
>
> https://pfsense.org/
I'm by no means an expert on FreeBSD (from which pfSense is derived) so
I suggest to search more educated evaluation elsewhere.
I suspect that pfSense lacks any meaningful mandatory access control
pre-installed (no *BSD family has it), but that's it.
> 4. What is your opinion of Firewall Builder?
>
> https://sourceforge.net/projects/fwbuilder/
Don't need it personally for two reasons.
First, distributed firewall management based on iptables is not that
different from distributed management of any GNU/Linux OS. Hence
there are puppet or chef to fulfill this role.
Second, I don't trust any Cisco solution with the notable exception of
non-managed switches, and we don't do BSD here :)
> 5. What tools/ distributions do you use and recommend for
> Internet-ready firewalls?
For the distribution I suggest to choose any with:
1) Meaningful security policy, and it's important that all distribution
vulnerabilities must be made public.
This rules out all RHEL derivatives and all Ubuntu derivatives, for
example.
2) Meaningful distribution policy, which must include the way to verify
that you get exactly what is advertised on distribution website.
This rules out IPCop, for example.
Last, but not least - the primary *and* secondary (if any) firewall
administrator should be familiar with the distribution in question.
This rules out anything unless it's not Debian or RHEL for me, for
example.
For the tools my only suggestion is to stick close to the roots as
possible.
I.e. if they give you iptables(8) - there's absolutely no need to seek
firewalld or ufw.
If they give you tc(8) - there's no need to install wondershaper.
Last, but not least - if they give you sshd(8) - all kinds of
webinterfaces and GUI tools are redundant.
Reco
Reply to: