Firewall Wizards mailing list archives
Re: Linux IPFilter
From: Les Barstow <lbarstow () vr1 com>
Date: Thu, 28 Feb 2002 07:53:09 -0700
If you mean the old IPF, then I can't help you. If you mean IPTables, then read on... We're using a Linux 2.4 kernel with IPTables for some of our work, and have stuffed up to 20Mbps through it. * Stateful inspection * HTTP, HTTPS, FTP, DNS, NTP, SMTP, SSH, IRC * Up to 20Mbps for a couple of days (major FTP downloads...) daily to 8Mbps * About a dozen servers (no client access on the net, only server) * About 800 concurrent (pending) connections There are several good ruleset bases available on the net for IPTables which should help you minimize your security leaks. The main benefit I've seen to using Checkpoint over the Linux FW lies in Checkpoint's ability to handle more complex protocols, and the maturity of its scripting. For every protocol which doesn't follow simple client->server connection conventions (e.g. FTP) IPTables needs a kernel or userspace module written to allow the FW to properly adapt to the protocol. The list is currently small, but is growing (currently at least FTP, IRC, and I believe RPC portmapper). The kernel itself handles some security measures (spoofed addresses, SYN cookies, etc.), and the ruleset bases have rules for weeding out many malformed packets before any regular processing is performed (i.e. scanner packets such as XMAS). I began by using a couple of the IPTables tools and rulesets, but wound up rolling my own scripts, as they were easier to control and optimize that way. Of course, cost savings is a definite benefit of the Linux IPTables solution vs. Checkpoint. I can do some level of bandwidth accounting using IPTables, but I'd have to spend extra money to get accounting features for Checkpoint. Lastly, I'll throw in these remarks: There is still a lot which could be done with IPTables. There is no way to force-disconnect a session without using a third-party module (patch-o-matic is your friend, I suppose). There doesn't appear to be a way to fine-tune session-tracking timeouts like there is in Checkpoint. And no-one's been able to answer me in the mailing-list whether the connection tracking is able to track UDP "sessions". I also highly recommend getting the latest distribution of the kernel and IPTables available for your Linux distribution. Some of the older 2.4 kernels were less than stable, including some of the ones shipped with distributions. "rod.marten () domail maricopa edu" wrote:
Has anyone seen a comparison between various commercial Firewalls (Cisco, Checkpoint) and a linux IPfilter based firewall? With the exception of possible configuration errors, is the IPfilter as secure as a commercial firewall? Lastly, has anyone had experiences using such firewalls in large environments? I am looking at deploying a firewall based on RedHat Linux hardened with Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration interface.
-- Les Barstow | e-mail: lbarstow () vr1 com System Administrator | VR1, Inc. | http://www.vr1.com | Disclaimer: All your server are belong to us! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Linux IPFilter Paul D. Robertson (Mar 01)
- Re: Linux IPFilter rod.marten () domail maricopa edu (Mar 01)
- Re: Linux IPFilter George Ross (Mar 04)
- <Possible follow-ups>
- Re: Linux IPFilter R. DuFresne (Mar 01)
- Re: Linux IPFilter Les Barstow (Mar 01)
- Re:Re: Linux IPFilter mb_lima (Mar 01)