View previous topic :: View next topic |
Author |
Message |
tiredoldcoder n00b
Joined: 29 Nov 2003 Posts: 44
|
Posted: Thu Jul 08, 2004 4:51 am Post subject: Opinion: which firewall do you recommend? |
|
|
Working on building a new firewall/gateway machine to place between the cable modem and my home network. Which firewall do you use/recommend?
Also does anyone have an opinion about using webmin to administer the firewall?
TOC |
|
Back to top |
|
|
revertex l33t
Joined: 23 Apr 2003 Posts: 806
|
Posted: Thu Jul 08, 2004 5:45 am Post subject: |
|
|
iptables have a lot of examples in these forums, shorewall is really easy to setup, and i ear about a shorewall webmin module.
unless people that don't know linux will admin your box i advise you stay away from webmin, it's just a mess.
cheers. |
|
Back to top |
|
|
beandog Bodhisattva
Joined: 04 May 2003 Posts: 2072 Location: /usa/utah
|
Posted: Thu Jul 08, 2004 6:08 am Post subject: |
|
|
Webmin is nice, but its a crutch. Someone recommend to me once to skip everything and just learn iptables instead -- it's what all the firewall programs configure anyway, so you're better off going straight to the source.
For a quick easy setup/install, this is what I recommend:
- Download this firewall and install it -- http://projectfiles.com/firewall/
Get the installer file. It's a console frontend that makes it easy to setup which ports to open, and routing too. After you install it and run it the first time, it will probably not start it, but it will have rc.firewall in /etc/rc.d/ Go there and start it (rc.firewall start), then save the iptables settings (/etc/init.d/iptables save), and you're done. If its for your home network, be sure to enable ip forwarding as the iptables ebuild instructs. Good luck -- its really not that hard, trust me. _________________ If it ain't broke, tweak it. dvds | blurays | blog | wiki |
|
Back to top |
|
|
zeek Guru
Joined: 16 Nov 2002 Posts: 480 Location: Bantayan Island
|
Posted: Thu Jul 08, 2004 6:53 am Post subject: Re: Opinion: which firewall do you recommend? |
|
|
tiredoldcoder wrote: | Which firewall do you use/recommend? |
We use/reccomend Linux here but your question implies that you don't realize that Linux 2.4+ comes with a builtin firewall called Netfilter. There aren't any other viable firewall options for Linux 2.4+.
IPTables is a userland program that controls Netfilter. This is a very raw, low level interface to Netfilter.
Netfilter helper apps like Shorewall, firestarter, or webadmin use iptables behind the scenes and their primary purpose is to shield you from the fugly iptables interface. These helper apps are highly recomended because they properly setup things that most home grown iptables scripts do not. Examples would be proper handling of port 113, dealing with late DNS queries, blocking netbios, etc ...
http://www.netfilter.org/ |
|
Back to top |
|
|
drkstorm Tux's lil' helper
Joined: 22 Apr 2004 Posts: 118
|
Posted: Thu Jul 08, 2004 7:35 am Post subject: |
|
|
for an easy to configure canned firewall script that uses iptables, I use gShield.. it can be emerged or http://muse.linuxmafia.org/gshield/ it works well and it is easy to configure, its alse very robust support router, DMZ, and forwarding filters.
in my opinion, using straight up iptables commands is a security risk unless you are an expert, im not, i dont have time |
|
Back to top |
|
|
tiredoldcoder n00b
Joined: 29 Nov 2003 Posts: 44
|
Posted: Fri Jul 09, 2004 3:56 am Post subject: |
|
|
My current firewall/NAT/MASQ is a RH 6.2 using IPCHAINS ... is iptables worse?
Also, do I need to configure my kernel special for iptables.
I am planning on using gs-sources for my kernel ... any comments?
v/r
TOC |
|
Back to top |
|
|
madchaz l33t
Joined: 01 Jul 2003 Posts: 993 Location: Quebec, Canada
|
Posted: Fri Jul 09, 2004 5:47 am Post subject: |
|
|
iptables is more powerfull and stable then ipchains. It's the new standard from 2.4
shorewall on a gentoo box had good results for me when I was still on cable. I've also used the smoothwall distribution. I know some people here don't like it, but I found it's easy to use and pretty secure.
While learning iptables "would" be the most powerfull solution, doing things by hands isn't always the best. If you want to use gentoo, I'd recomend shorewall. The manual on there website is pretty strait forward and it's in portage. _________________ Someone asked me once if I suffered from mental illness. I told him I enjoyed every second of it.
www.madchaz.com A small candle of a website. As my lab specs on it. |
|
Back to top |
|
|
stahlsau Guru
Joined: 09 Jan 2004 Posts: 584 Location: WildWestwoods
|
Posted: Fri Jul 09, 2004 5:52 am Post subject: |
|
|
hi,
i´d recommend iptables, simply because it can do everything you want it to do.
If you don´t understand all those configurationfiles of iptables, try out "ipkungfu". It´s a package of scripts/configs (~30kb) for iptables and works out of the box and can (better: should) be modified very simple. I like it because you get a nice iptables-configuration which works and only have to modify it to your needs, that´s much more simple than writing your own firewall. |
|
Back to top |
|
|
adaptr Watchman
Joined: 06 Oct 2002 Posts: 6730 Location: Rotterdam, Netherlands
|
Posted: Fri Jul 09, 2004 10:11 am Post subject: Re: Opinion: which firewall do you recommend? |
|
|
tiredoldcoder wrote: | Working on building a new firewall/gateway machine to place between the cable modem and my home network. Which firewall do you use/recommend? |
I use ipcop, but smoothwall is good too.
Setup once, forget about it _________________ >>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
Back to top |
|
|
Anime_Fan Guru
Joined: 01 Jul 2003 Posts: 366 Location: Linköping, Sweden
|
Posted: Fri Jul 09, 2004 11:30 am Post subject: |
|
|
OpenBSD has PF...
It's quite nifty, but may be overkill for what your purposes seem to be. |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Tue Jul 13, 2004 12:16 am Post subject: |
|
|
I'm going to have to second the vote of confidence there, much as I love Linux. PF is in orders of magnitude greater, IMHO. |
|
Back to top |
|
|
tiredoldcoder n00b
Joined: 29 Nov 2003 Posts: 44
|
Posted: Sat Jul 17, 2004 2:30 pm Post subject: |
|
|
Thanks to all! I used the install script from http://projectfiles.com/firewall/ and everything seems to be working well
Follow on questions:
1. I hear words like "crutch" and "mess" about webmin. I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come). Not to mention, I don't have to memorize every Linux admin command syntax to admin chores every in a blue moon. That is the value of a GUI to me--to abstract the gory details for peoples whose vigor and brain cell count are in decline!
Having set my heels firmly I'm not so naive to believe ANY software is perfect. So, is there something about webmin I don't know? Webmin has a nice, friendly Linux Firewall interface. Why not use it?
2. Even though I have a rule to block TCP port 10000 (webmin), it still shows up (closed) when I run nmap against my external IP. Should I be concerned?
3. Once I save the IPTABLES, do I need to run the rc.firewall script at bootup?
4. How does the firewall know when my DHCP lease expires and my external IP has changed? Do the IPTABLES saved files get automatically updated?
v/r
TOC |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Sat Jul 17, 2004 4:56 pm Post subject: |
|
|
tiredoldcoder wrote: | Webmin has a nice, friendly Linux Firewall interface. Why not use it? |
The only thing that springs to mind is that it is basically one big Perl script running as root i.e. there is no privelege separation. So any potential flaw or exploit could have greater ramifications than it really should have. One plus point is that on account of being written in Perl it should (in theory) be free of buffer overflow exploits.
Quote: | Even though I have a rule to block TCP port 10000 (webmin), it still shows up (closed) when I run nmap against my external IP. Should I be concerned? |
By "block", do you mean DROP or REJECT? In the latter case, a TCP packet with the SYN flag set (the connection attempt) would be greeted with one in response with the RST flag set (connection reset), thus alerting the would-be client that the port is providing a service. You should be concerned in so far as that it makes it incredibly obvious that the host is a Unix-like system running webmin to anybody who scans the host
I suggest you try and rectify the problem - or at least change the port number that webmin is using. |
|
Back to top |
|
|
474 l33t
Joined: 19 Apr 2002 Posts: 714
|
Posted: Sat Jul 17, 2004 5:05 pm Post subject: |
|
|
Quote: | I am planning on using gs-sources for my kernel ... any comments? |
Personally, I wouldn't. Although the author of the patchset is very skilled, I would recommend against it simply on the basis that all of the gs-sources patchsets are built upon prepatch kernels. So, unless gs-sources provides you with something you simply must have then I would recommend sticking to vanilla-sources (that's 2.4.26 at present). |
|
Back to top |
|
|
tom56 Guru
Joined: 27 Apr 2004 Posts: 325 Location: united kingdom
|
Posted: Sat Jul 17, 2004 5:30 pm Post subject: |
|
|
most firewalls on linux are just frontends to iptables. i used to use shorewall but now i use firestarter. they both work just as well, but i prefer firestarter as it has a purty gui interface |
|
Back to top |
|
|
Woody Guru
Joined: 30 Nov 2002 Posts: 592 Location: Milwaukee
|
Posted: Sat Jul 17, 2004 5:45 pm Post subject: |
|
|
You could also use one of the old floppy based
linux-router-project style distros. I use coyote linux on a
p75 with 24 megs of ram and the only moving parts are a
floppy (at boot only) and the PS fan. I currently have an
uptime over 300 days. |
|
Back to top |
|
|
meyerm Veteran
Joined: 27 Jun 2002 Posts: 1311 Location: Munich / Germany
|
Posted: Sat Jul 17, 2004 8:58 pm Post subject: |
|
|
Hmm, all mentioned "firewalls" here are just packet filters. Is there any open source application level firewall available? Linux or BSD - doesn't matter.
BTW: I don't mean a layer-7-module for iptables. But a real firewall parsing the protocol and dropping dangerous packets. |
|
Back to top |
|
|
n7down Tux's lil' helper
Joined: 24 May 2004 Posts: 122 Location: /home/n7down
|
Posted: Sat Jul 17, 2004 9:56 pm Post subject: |
|
|
If you have an old box sitting around I would suggest smoothwall which is a firewall/router.
www.smoothwall.org |
|
Back to top |
|
|
GenKreton l33t
Joined: 20 Sep 2003 Posts: 828 Location: Cambridge, MA
|
Posted: Sat Jul 17, 2004 10:19 pm Post subject: |
|
|
smoothwall or shorewall for ease of use BUT if you want the best there is and willing to learn go for iptables or pf (all previously suggested). |
|
Back to top |
|
|
adaptr Watchman
Joined: 06 Oct 2002 Posts: 6730 Location: Rotterdam, Netherlands
|
Posted: Mon Jul 19, 2004 8:33 am Post subject: |
|
|
meyerm wrote: | Hmm, all mentioned "firewalls" here are just packet filters. Is there any open source application level firewall available? Linux or BSD - doesn't matter. |
Iptables is a firewall - a packet filtering firewall
meyerm wrote: | BTW: I don't mean a layer-7-module for iptables. But a real firewall parsing the protocol and dropping dangerous packets. |
There are several higher-level protocol modules for iptables.
www.netfilter.org for all the relevant details. _________________ >>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
Back to top |
|
|
meyerm Veteran
Joined: 27 Jun 2002 Posts: 1311 Location: Munich / Germany
|
Posted: Mon Jul 19, 2004 2:41 pm Post subject: |
|
|
adaptr wrote: | Iptables is a firewall - a packet filtering firewall |
Oooook. But it's only level5. Not level7.
adaptr wrote: | There are several higher-level protocol modules for iptables. |
Do you have an example? (I do believe you - just can't find anything useful!) Some time ago I found some module which was able to match specific data streams using regexps. That's almost good
There are two application areas:
First: understand the higher protocol and do sth. with it.
Second: Just recognize the protocol and so sth. with it.
The second one would be what I need at the moment. I want to recognize if a connection is a FTP-connection (no matter of the ports used) and then reduce the bandwidth for this. How can I do that? I played around with the module mentioned above and traffic shaper. But the latter is a real cruel piece of software... And since I know that commercial level7 firewalls can do that, I hoped there would be some open source alternative . But when you have a) a very good howto or b) a "traffic shaping iptables module" I would be grateful if you post it.
Uff, sorry for writing so long texts without any content |
|
Back to top |
|
|
NemoTheLobster n00b
Joined: 24 Jul 2003 Posts: 11 Location: RTP, NC
|
Posted: Mon Jul 19, 2004 3:45 pm Post subject: |
|
|
For an application layer firewall, check out Zorp:
http://www.balabit.com/products/zorp/
There's a GPL version available. I just stumbled on that today. |
|
Back to top |
|
|
meyerm Veteran
Joined: 27 Jun 2002 Posts: 1311 Location: Munich / Germany
|
Posted: Mon Jul 19, 2004 4:55 pm Post subject: |
|
|
Cool - looks promising. My first readthrough didn't show me if it is capable of shaping the traffic. It looks like on/off/redirect. But I will read further. Thank you! |
|
Back to top |
|
|
adaptr Watchman
Joined: 06 Oct 2002 Posts: 6730 Location: Rotterdam, Netherlands
|
Posted: Tue Jul 20, 2004 7:56 am Post subject: |
|
|
meyerm wrote: | adaptr wrote: | Iptables is a firewall - a packet filtering firewall |
Oooook. But it's only level5. Not level7. |
I assume you mean layers.
meyerm wrote: | adaptr wrote: | There are several higher-level protocol modules for iptables. |
Do you have an example? (I do believe you - just can't find anything useful!) Some time ago I found some module which was able to match specific data streams using regexps. That's almost good |
Iptables has an arbitrary string matching module - which can obviously inspect the complete packet, up to and including layer 7.
Do not, however, expect to run this on 100mbits on a Pentium-100...
meyerm wrote: | I want to recognize if a connection is a FTP-connection (no matter of the ports used) and then reduce the bandwidth for this. How can I do that? I played around with the module mentioned above and traffic shaper. But the latter is a real cruel piece of software... |
Yes, while at the same time very, very capable .
meyerm wrote: | And since I know that commercial level7 firewalls can do that, I hoped there would be some open source alternative . But when you have a) a very good howto |
I do, in fact: http://lartc.org/
meyerm wrote: | or b) a "traffic shaping iptables module" I would be grateful if you post it. |
Hmm dunno - maybe you should check out the BSD solution mentioned... _________________ >>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
Back to top |
|
|
Riftwing Apprentice
Joined: 06 Oct 2002 Posts: 293
|
Posted: Tue Jul 20, 2004 6:39 pm Post subject: |
|
|
tiredoldcoder wrote: | 1. I hear words like "crutch" and "mess" about webmin. I am using webmin, so I don't have to leave my comfy chair and run downstairs/upstairs to admin a server/workstation (I have 3 gentoo systems now, more to come). |
You know, there is a little something called ssh. _________________ Good, bad, I'm the guy with the gun. - Ash, Army of Darkness |
|
Back to top |
|
|
|