Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re:Re: Linux IPFilter

From: mb_lima () uol com br
Date: Fri, 1 Mar 2002 14:30:26 -0300 (BRT)

 RPC Portmmaper is already supported. I, with Rusty´s help, implemented it :-). Regards,

         Marcelo Barbosa Lima.



If you mean the old IPF, then I can't help you.


If you mean IPTables, then read on...

We're using a Linux 2.4 kernel with IPTables for some of our work, and
have stuffed up to 20Mbps through it.

* Stateful inspection
* HTTP, HTTPS, FTP, DNS, NTP, SMTP, SSH, IRC
* Up to 20Mbps for a couple of days (major FTP downloads...)
 daily to 8Mbps
* About a dozen servers (no client access on the net, only server)
* About 800 concurrent (pending) connections


There are several good ruleset bases available on the net for IPTables
which should help you minimize your security leaks.

The main benefit I've seen to using Checkpoint over the Linux FW lies in
Checkpoint's ability to handle more complex protocols, and the maturity
of its scripting.  For every protocol which doesn't follow simple
client->server connection conventions (e.g. FTP) IPTables needs a kernel
or userspace module written to allow the FW to properly adapt to the
protocol.  The list is currently small, but is growing (currently at
least FTP, IRC, and I believe RPC portmapper).

The kernel itself handles some security measures (spoofed addresses, SYN
cookies, etc.), and the ruleset bases have rules for weeding out many
malformed packets before any regular processing is performed (i.e.
scanner packets such as XMAS).

I began by using a couple of the IPTables tools and rulesets, but wound
up rolling my own scripts, as they were easier to control and optimize
that way.

Of course, cost savings is a definite benefit of the Linux IPTables
solution vs. Checkpoint.  I can do some level of bandwidth accounting
using IPTables, but I'd have to spend extra money to get accounting
features for Checkpoint.


Lastly, I'll throw in these remarks:

There is still a lot which could be done with IPTables.  There is no way
to force-disconnect a session without using a third-party module
(patch-o-matic is your friend, I suppose).  There doesn't appear to be a
way to fine-tune session-tracking timeouts like there is in Checkpoint. 
And no-one's been able to answer me in the mailing-list whether the
connection tracking is able to track UDP "sessions".

I also highly recommend getting the latest distribution of the kernel
and IPTables available for your Linux distribution.  Some of the older
2.4 kernels were less than stable, including some of the ones shipped
with distributions.

"rod.marten () domail maricopa edu" wrote:


Has anyone seen a comparison between various commercial Firewalls
(Cisco, Checkpoint) and a linux IPfilter based firewall?  With the
exception of possible configuration errors, is the IPfilter as secure as
a commercial firewall?  Lastly, has anyone had experiences using such
firewalls in large environments?

I am looking at deploying a firewall based on RedHat Linux hardened with
Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration
interface.


-- 
Les Barstow           | e-mail: lbarstow () vr1 com
System Administrator  |
VR1, Inc.             | 
http://www.vr1.com    | Disclaimer: All your server are belong to us!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


 "A sorte favorece a mente bem preparada"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: