Firewall Wizards mailing list archives

RE: proxy-packet filter

From: "Matt Bruce" <matt.bruce () alphawest com au>
Date: Thu, 24 Feb 2000 13:22:45 +0800

Well, technically, having both _still_ won't make it a firewall, but that's
a bit of a religious argument. :)

I'll use the common example of Squid and ipfwadm/ipchains. They're both free
and come with just about every Linux distribution CD you can find.

Squid uses Access Control Lists (ACLs) to control who can do what, based
upon IP address/subnet, but it is generally intended for limiting HTTP[S]
traffic for outbound browsing. At least, that's all I've ever seen it used
for.

ipchains (formerly ipfwadm) uses rules to control which
IPs/subnets/ports/interfaces can send/receive packets. Things like the
traditional firewall Anti-Spoof Rule, rules covering whether specific
TCP/UDP/ICMP traffic can come in or go out, and the Default Rule can all be
set up with ipchains and administered via console/telnet/ssh. If you have a
24x7 connection to the Internet, you can append the ipchains script to your
network script; but if you have a periodic dialup connection, you can add
the script to your PPP dialup script.

As they're free and are designed to do specific tasks, I can't really see
why you wouldn't implement both. Couple this with sendmail relaying and you
have a great low-cost "packet filtering Internet gateway" (commonly known as
a "Linux firewall"). Just remember that you get what you pay for, so "great"
is a relative term.

While I do these sorts of things for my employer, I completely rebuilt and
customised a RedHat 6.1 Linux box with Squid and ipchains last night for my
home LAN in just under 3 hours. Who says low-end Pentiums were obsolete? :)

HTH,

Matt Bruce     <matt.bruce () alphawest com au>
Security & Internet Engineer
AlphaWest - http://www.alphawest.com.au/
"Illegitimus non carborundum est." :)

-----Original Message-----
From: Prasanna.H.S [mailto:prassi () bgl vsnl net in]
Sent: Wednesday, 23 February 2000 1:10 am

I currently designing a firewall in Linux.Is it necessary
for me to have both proxy as well as packet filter .Can y proxy
do the job of packet filtering as well.

Current thread:

proxy-packet filter Prasanna.H.S (Feb 23)
- <Possible follow-ups>
- RE: proxy-packet filter Matt Bruce (Feb 24)