Firewall Wizards mailing list archives

Re: Linux IPFilter

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 28 Feb 2002 09:10:13 -0500 (EST)


Rod,

I've heard lots of good things from folks that moved to the 2.4.x kernels
and ipfilter/iptables.  but, bewary about how you build such a device,
many times these systems are more personal desktops with a running
personal firewall with a full default OS install with all the toys and
trinkets. If you are building a serious firewall for a production
environment, make sure you know the ins and outs of locking down such a
system, and the variations  of the distribution<s> you will employ.
further, one of the many toys included in the ipfilter package was
recently found to be defective, this should not be of concern to anyone
building a real firewall though, as IRC helpers are seldom included in
such systems:

From: Harald Welte <laforge () gnumonks org>
Subject: security advisory linux 2.4.x ip_conntrack_irc
Date: Wed, 27 Feb 2002 15:02:50 +0100
To: bugtraq () securityfocus com


Important security announcement of the netfilter project, 25 Feb 2002
(http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html).

SUBJECT:  IRC connection tracking helper module
SUMMARY:  IRC connection tracking opens unwanted ports
SYSTEM:   All Linux kernel versions from 2.4.14 to 2.4.18-pre8
SOLUTION: Apply attached patch
CREDITS: Jozsef Kadlecsik <kadlec () netfilter org>,
         Harald Welte <laforge () netfilter org>

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0060 to this issue.


Hope that helps.

Thanks,

Ron DuFresne


On Wed, 27 Feb 2002, rod.marten () domail maricopa edu wrote:

Has anyone seen a comparison between various commercial Firewalls
(Cisco, Checkpoint) and a linux IPfilter based firewall?  With the
exception of possible configuration errors, is the IPfilter as secure as
a commercial firewall?  Lastly, has anyone had experiences using such
firewalls in large environments?

I am looking at deploying a firewall based on RedHat Linux hardened with
Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration
interface.

thanks

rod

--
Rod Marten
Security Administrator
Maricopa Community Colleges
rod.marten () domail maricopa edu
(480) 731-8745



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Linux IPFilter Paul D. Robertson (Mar 01)
- Re: Linux IPFilter rod.marten () domail maricopa edu (Mar 01)
- Re: Linux IPFilter George Ross (Mar 04)
- <Possible follow-ups>
- Re: Linux IPFilter R. DuFresne (Mar 01)
- Re: Linux IPFilter Les Barstow (Mar 01)
- Re:Re: Linux IPFilter mb_lima (Mar 01)