Re: Here is my plan for firewall implementation

[Jyri Kaljundi <jk () stallion ee>]

On Sun, 21 Sep 1997, Marcus J. Ranum wrote:

> This is a great trick for securing web sites, too. You can
> screen so that only port tcp/80 can come in, and then allow
> udp/53 only to a firewall or some other machine with a
> nameserver.

This is a good and easy thing to do, so I also suggest everyone to do
this. There is ipfw for Linux, and there is IPfilter for
Solaris/*BSD*/SunOS, both pretty easy to set up and besides they give you
nice logging of what is going on on the network. Sometimes this is much
easier and faster to do than go through inetd.conf and /etc/rc startup
scripts, you can decide later which things to keep and which to shut down.

> Exchanging data safely is a TOUGH problem. These days I am
> leaning heavily towards telling people NOT to use FTP, but to
> use web instead. That way you can layer it under SSL if there's
> sensitive information going around. The only big drawback is
> that, at present, nobody has a decent utility for uploading
> files using POST.

Using web for one-direction data transfer is a nice thing when you use SSL
and may be even SSL client certificates and even one-time passwords are an
option. Still data upload is a little bit uncomfortable to be done through
HTTP file uploads (Netscape supports this, don't know about MSIE but for
quite long it did not). For all the project we have done lately we have
used SSH and it's scp program, it is not very intuitive to use and the
command line version does not look very easy to use, but for batch uploads
you can make some scripts that wrap over scp to make it easier.

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/