On Sun, Oct 01, 2000 at 03:50:04PM +0200, mario wrote: > [EMAIL PROTECTED] wrote: > > > > Has anyone found making a debian machine with firewall support useful? > > Yes, very much so > > > What are firewalls useful for? Do they simply prevent packets from passing > > through the firewall into the rest of the network? > > It depends. "Firewall" can mean different things: > It may be a packet filtering firewall which does what you think it does. > This functionality is built into the kernel (needs a recompile, > probably). The interface to change its behavior is ipchains (for the > 2.2.x-kernel, 2.0.x and 2.4.x use other means), i.e. you write a shell > script that gets executed in a runlevel, which sets your config. > Another type of firewall is a proxying firewall. There is a package > called SOCKS that does this (maybe others too). Proxies work on the > application level, IIRC, and so can know things that apacket filtering > firewall can't know. They need the ability to use the proxy compiled > into client programs too, though. > > > Would a firewall > > necessarly have to be also configured to be a router? > > Again, it depends. A proper firewall should be a standalone machine > without user accounts, without network services running and with as > little SW as possible installed (no compilers, ...). If behind the > firewall you have a network then, yes, it can do routing, too. It can > also do IP masquerading. Note that there are much more sophisticated > setups with "demilitarized zones" around the firewall and all kinds of > stuff. What to build depends on your security requirements. > > OTOH, you can have packet filtering enabled on a standalone workstation > with dial-up or cable/dsl access. No routing in this case, of course. > This way, you at least can stay out of random script-kiddie portscans > (or your cable provider's scans). It's also great to be able to control
OH? Why would my cable modem provider scan my box? What would they be looking for? Even though I didn't ask the question, thanks for the info Mario! Wm > what's allowed to go /out/, e.g., when you're configuring network stuff > and don't want your MTA to send mail to [EMAIL PROTECTED] instead to > [EMAIL PROTECTED] :o) > > Note that you should never rely on firewall security alone, but have > your services configured properly, too (tcp wrappers, etc.). You don't > want your machines completely open when the firewall is compromised. > > > Any info you guys > > can provide would be useful. I was thinking about making one of my debian > > machies a firewall, but don't really know what I would do with it:) > > I recommend the book Linux Firewalls by Robert L. Ziegler, New Riders, > ISBN 0-7357-0900-9. He has also a webpage > http://www.linux-firewall-tools.com/ with lots of info and a nifty tool > where you answer questions and it will generate a firewall script for > you. If you're security requirements are modest, this is maybe all you > need. There are other books too, like Building OpenBSD and Linux > Firewalls (IIRC), but I don't know them. > > There are also some GUI firewall tools for gnome, like firestarter and > others (see www.gnome.org), probably for KDE, too. Note, however, that > at least firestarter is AFAIK made to work with RedHat, so it needs a > bit tweaking to work with the debian way of init. > > Very good reading is also Securing and Optimizing Linux, > http://www.openna.com/books/book.htm Note that it's for RedHat, but it's > easy to apply it to debian > > A nice exercise is to scan/attack your machine/network from the outside > before and after the firewall is in place. If you're lazy ;o) a quick > way to get a portscan on the well known ports done is to use Shields Up! > at http://www.grc.com/ (disable your isp's proxy in your browser > settings before, otherwise not you but your isp's proxy will be > scanned!). You want it to report "stealth" for every port you don't need > available from the outside > > Hope this helps (well, I'm sure) > Greetings > -- > > I did not vote for the Austrian government > > Linux: The choice of a GNU generation. Visit http://www.gnu.org/ > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null >
