Firewall Wizards mailing list archives
Re: Here is my plan for firewall implementation
From: Jyri Kaljundi <jk () stallion ee>
Date: Sun, 21 Sep 1997 19:16:26 +0300 (EET DST)
On Sun, 21 Sep 1997, Marcus J. Ranum wrote:
This is a great trick for securing web sites, too. You can screen so that only port tcp/80 can come in, and then allow udp/53 only to a firewall or some other machine with a nameserver.
This is a good and easy thing to do, so I also suggest everyone to do this. There is ipfw for Linux, and there is IPfilter for Solaris/*BSD*/SunOS, both pretty easy to set up and besides they give you nice logging of what is going on on the network. Sometimes this is much easier and faster to do than go through inetd.conf and /etc/rc startup scripts, you can decide later which things to keep and which to shut down.
Exchanging data safely is a TOUGH problem. These days I am leaning heavily towards telling people NOT to use FTP, but to use web instead. That way you can layer it under SSL if there's sensitive information going around. The only big drawback is that, at present, nobody has a decent utility for uploading files using POST.
Using web for one-direction data transfer is a nice thing when you use SSL and may be even SSL client certificates and even one-time passwords are an option. Still data upload is a little bit uncomfortable to be done through HTTP file uploads (Netscape supports this, don't know about MSIE but for quite long it did not). For all the project we have done lately we have used SSH and it's scp program, it is not very intuitive to use and the command line version does not look very easy to use, but for batch uploads you can make some scripts that wrap over scp to make it easier. Jyri Kaljundi jk () stallion ee AS Stallion Ltd http://www.stallion.ee/
Current thread:
- Here is my plan for firewall implementation Jim Raykowski (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Bennett Todd (Sep 22)
- Re: Here is my plan for firewall implementation Jyri Kaljundi (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Craig Brozefsky (Sep 22)
- NCSA's RECON Service Adept (Sep 22)
- Re: Here is my plan for firewall implementation Joseph S. D. Yao (Sep 22)
- Re: Here is my plan for firewall implementation Adam Shostack (Sep 22)
- Re: Here is my plan for firewall implementation Paul D. Robertson (Sep 23)
- Re: Here is my plan for firewall implementation Alfred Huger (Sep 24)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- Re: Here is my plan for firewall implementation Marcus J. Ranum (Sep 21)
- <Possible follow-ups>
- Re: Here is my plan for firewall implementation See, Matthew (Sep 22)