On Tue, 2003-08-12 at 08:43, Ward William E DLDN wrote: > > -----Original Message----- > > From: Di Fresco Marco [mailto:[EMAIL PROTECTED] > > Now my question is: if I do not correctly and strongly configure the > > firewall (as I said I am a newbie, even if I am reading HOWTOs), is > > there a chance that some attacker could crack into the firewall > > (Linux) box (because the firewall is not well configured), take > > advantage of the local connection and crack also into the other > > computetr (the new one that I will use for daily use and it is going > > to have WinXP)? > <snip> > > If you really want to turn it into a Firewall, try using a pre-rolled > Linux firewall distribution, such as IPCop, SmoothWall, etc. Or, if > you can stand to make mistakes, you could try using ShoreWall on a > Redhat distribution, or try one of the BSDs. You'll learn more from > Shorewall or a BSD, but you're also much more likely to make a major > mistake, if you don't really know what you're doing.
I agree almost wholeheartedly with everything you've said here. The only point I'd like to argue is that a BSD firewall is more difficult to configure than a Linux (iptables) firewall. From my experience, nothing could be further from the truth. In particular, an OpenBSD/PF firewall is light years ahead of CLI iptables in terms of syntax read- and usability. I usually put it this way... Linux is a little ahead of the curve in terms of bleeding-edge features. You want NAT-T, VRRP, source-routing to multiple pipes or layer-7 filtering? Choose Linux. You want ease of administration, stable (relatively speaking) code and a design that more strictly adheres to the RFCs? Choose OpenBSD. OpenBSD's PF is designed along the linguistic school... that the rules should be easily understandable to the average administrator. This is the same school that IPFilter and IPfw adhere to, not to mention IPchains. IPTables, on the other hand, is a syntactical mess. That's not to say it's not a POWERFUL syntactical mess. ;-) * Disclaimer: Feel free to take what I've said with a grain of salt, but I'm an RHCE. If you're not going to agree with me, fine. But don't think I have any ulterior motives. It's actually in my best interests to promote Linux solutions where it suits my clients best. Firewalls just don't happen to be one of them (in most cases). Just my $0.02. ** P.S. For what it's worth, I do like the Shorewall project. The way they've broken up rules into "zones" is a nice idea. As long as you don't mind administrating at that "level", while still having to use the CLI (versus web-based), it's a great alternative. And yes, some of the web-based options are nice, too... Astaro is another good one. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
