Hi. On Sat, 27 Feb 2016 09:41:47 -0800 David Christensen <dpchr...@holgerdanske.com> wrote:
> On 02/27/2016 06:22 AM, heqamilus wrote: > > I know that is possible to build a firewall using Debian. I'm > > searching for some tutorials, I need to know the system's utility to > > configure Debian installation in this way. For example, manage > > network interfaces, NAT, vlan and optionally DNS > > > > I'm able to do basic firewalling and install and use server > > application. > > > On 02/27/2016 08:49 AM, Reco wrote: > > Please. "Out-of-the-box" IPCop (version 2.1.8 I just grabbed from > > the Sourceforge) does have: > > > > 1) No meaningful DNSSEC capability. > > > > 2) Presence of libfontconfig.so *and* fonts for no good reason. > > > > 3) Bunch of questionable quality root-owner SUID binaries in > > /usr/local/bin, intended to be called from Web-interface. > > > > 4) Lack of any pre-installed IDS. > > > > 5) Outdated kernel 3.4, configured *without* SELinux, Apparmor or > > tomoyo support. > > > > > > Oh, did I mention that *primary* download mirror for this > > distribution is the Sourceforge? > > > > IPCop can be an interesting solution for a host on an internal > > network, which nobody intends to poke, but suggesting putting *this* > > to serve as a firewall from an Internet is a joke. > > You seem to know a fair amount about firewalls. Would you care to > address the following questions? > > 1. Where can we learn about the features the OP wants, and how to > implement them in Debian? The only way way to learn all features the OP wants is to ask OP himself (or herself, I cannot make it from the alias used). The details of implementation of such features should be found elsewhere for obvious reasons. I suggest Debian's wiki as a good starting point. > 2. Where can we learn about the features that you say IPCop is missing > and/or the problems that you say IPCop has? First, a good firewall host should not have anything that's unrelated to its' primary function (i.e. filtering, routing, *maybe* tunnels). How exactly a GUI font library and a bunch of assorted fonts are related to this primary function is anyone's guess. Second, one should not re-invent the wheel on privilege escalation. Ditching a good instrument for this (sudo) in favor of own homegrown suid binaries is a fine example of bikeshedding, if you ask me. Third, a lack of DNSSEC support opens all kind of abuses for DNS entries. Hence, if such host is to be used as FTP/HTTP/HTTPS gateway (the presence of Squid in the distribution suggests such possibility), the clients of such gateway can be lead anywhere given at most one malicious DNS server on the outside. Fourth, any host that communicates to the outside world will be compromised. It's only a matter of time. Such time can be extended by applying security updates *and* configuring some sort of mandatory access control (SELinux for example). Fifth, any host that communicates to the outside world will be compromised. It's important to know how and when it'll happen. Hence the need of IDS. As for the Sourceforge itself - its reputation is forever tainted after this: http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp-updated No amounts of "we're screwed up, sorry", "we're selling the site" will fix it. > 3. What is your opinion of pfSense? > > https://pfsense.org/ I'm by no means an expert on FreeBSD (from which pfSense is derived) so I suggest to search more educated evaluation elsewhere. I suspect that pfSense lacks any meaningful mandatory access control pre-installed (no *BSD family has it), but that's it. > 4. What is your opinion of Firewall Builder? > > https://sourceforge.net/projects/fwbuilder/ Don't need it personally for two reasons. First, distributed firewall management based on iptables is not that different from distributed management of any GNU/Linux OS. Hence there are puppet or chef to fulfill this role. Second, I don't trust any Cisco solution with the notable exception of non-managed switches, and we don't do BSD here :) > 5. What tools/ distributions do you use and recommend for > Internet-ready firewalls? For the distribution I suggest to choose any with: 1) Meaningful security policy, and it's important that all distribution vulnerabilities must be made public. This rules out all RHEL derivatives and all Ubuntu derivatives, for example. 2) Meaningful distribution policy, which must include the way to verify that you get exactly what is advertised on distribution website. This rules out IPCop, for example. Last, but not least - the primary *and* secondary (if any) firewall administrator should be familiar with the distribution in question. This rules out anything unless it's not Debian or RHEL for me, for example. For the tools my only suggestion is to stick close to the roots as possible. I.e. if they give you iptables(8) - there's absolutely no need to seek firewalld or ufw. If they give you tc(8) - there's no need to install wondershaper. Last, but not least - if they give you sshd(8) - all kinds of webinterfaces and GUI tools are redundant. Reco
