Re: Debian as My home firewall/router
On 02/27/2016 10:40 AM, Reco wrote:
On Sat, 27 Feb 2016 09:41:47 -0800
David Christensen <dpchrist@holgerdanske.com> wrote:
1. Where can we learn about the features the OP wants, and how to
implement them in Debian?
The only way way to learn all features the OP wants is to ask OP
himself (or herself, I cannot make it from the alias used).
The OP stated he is looking for firewall, network interface management,
NAT, VLAN, and DNS. I believe Debian can do all of that, and more.
The details of implementation of such features should be found
elsewhere for obvious reasons. I suggest Debian's wiki as a good
starting point.
Yes, the Debian Wiki is helpful:
https://wiki.debian.org/
2. Where can we learn about the features that you say IPCop is missing
and/or the problems that you say IPCop has?
First, a good firewall host should not have anything that's unrelated
to its' primary function (i.e. filtering, routing, *maybe* tunnels). How
exactly a GUI font library and a bunch of assorted fonts are related to
this primary function is anyone's guess.
Second, one should not re-invent the wheel on privilege escalation.
Ditching a good instrument for this (sudo) in favor of own homegrown
suid binaries is a fine example of bikeshedding, if you ask me.
Third, a lack of DNSSEC support opens all kind of abuses for DNS
entries. Hence, if such host is to be used as FTP/HTTP/HTTPS gateway
(the presence of Squid in the distribution suggests such possibility),
the clients of such gateway can be lead anywhere given at most one
malicious DNS server on the outside.
Fourth, any host that communicates to the outside world will be
compromised. It's only a matter of time. Such time can be extended by
applying security updates *and* configuring some sort of mandatory
access control (SELinux for example).
Fifth, any host that communicates to the outside world will be
compromised. It's important to know how and when it'll happen. Hence
the need of IDS.
I've posted a link to this thread on the ipcop-user mailing list.
Hopefully, someone knowledgeable in IPCop will respond here.
As for the Sourceforge itself - its reputation is forever tainted after
this:
http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp-updated
No amounts of "we're screwed up, sorry", "we're selling the site" will
fix it.
I vaguely remember that event. The crux would seem to be whether or not
the software license allowed modification (including the distribution
file). And, if so, whether or not the distributor (SourceForge)
identified the files as modified. If the author answered "no" to the
first question, then the software is not "free" (as in freedom). If the
author answered "yes" and SourceForge answered "no" to the second
question, then shame on SourceForge. If both the author and SourceForge
answered "yes", then you accept the modification by downloading the
modified file. If you want an unmodified file, then you need to get it
somewhere else.
As the saying goes, Caveat Emptor.
3. What is your opinion of pfSense?
https://pfsense.org/
I'm by no means an expert on FreeBSD (from which pfSense is derived) so
I suggest to search more educated evaluation elsewhere.
I ran pfSense briefly on the Internet connection for my SOHO LAN. There
are differences between BSD vocabulary and Linux vocabulary, but
functionality is pretty much the same. pfSense seemed more
sophisticated and featureful than IPCop, but more brittle.
I suspect that pfSense lacks any meaningful mandatory access control
pre-installed (no *BSD family has it), but that's it.
According to McKusick [1], p. 34, "FreeBSD implements a framework for
kernel access-control extensibility, the MAC framework".
4. What is your opinion of Firewall Builder?
https://sourceforge.net/projects/fwbuilder/
Don't need it personally for two reasons.
First, distributed firewall management based on iptables is not that
different from distributed management of any GNU/Linux OS. Hence
there are puppet or chef to fulfill this role.
I don't have enough machines to justify Puppet, etc.. I've done
iptables, etc., by hand in the past, and it was tedious. Firewall
Builder mets my needs very nicely.
Second, I don't trust any Cisco solution with the notable exception of
non-managed switches, and we don't do BSD here :)
Okay.
5. What tools/ distributions do you use and recommend for
Internet-ready firewalls?
For the distribution I suggest to choose any with:
1) Meaningful security policy, and it's important that all distribution
vulnerabilities must be made public.
This rules out all RHEL derivatives and all Ubuntu derivatives, for
example.
2) Meaningful distribution policy, which must include the way to verify
that you get exactly what is advertised on distribution website.
This rules out IPCop, for example.
Last, but not least - the primary *and* secondary (if any) firewall
administrator should be familiar with the distribution in question.
This rules out anything unless it's not Debian or RHEL for me, for
example.
For the tools my only suggestion is to stick close to the roots as
possible.
I.e. if they give you iptables(8) - there's absolutely no need to seek
firewalld or ufw.
If they give you tc(8) - there's no need to install wondershaper.
Last, but not least - if they give you sshd(8) - all kinds of
webinterfaces and GUI tools are redundant.
Okay.
Thank you for the information. :-)
David
References:
[1] Marshal Kirk McKusick, et al, "The Design and Implementation of the
the FreeBSD Operating System", 2 e., ISBN 0321968972.
Reply to: