Firewall Wizards mailing list archives
Re: Linux IPFilter
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 28 Feb 2002 09:10:13 -0500 (EST)
Rod, I've heard lots of good things from folks that moved to the 2.4.x kernels and ipfilter/iptables. but, bewary about how you build such a device, many times these systems are more personal desktops with a running personal firewall with a full default OS install with all the toys and trinkets. If you are building a serious firewall for a production environment, make sure you know the ins and outs of locking down such a system, and the variations of the distribution<s> you will employ. further, one of the many toys included in the ipfilter package was recently found to be defective, this should not be of concern to anyone building a real firewall though, as IRC helpers are seldom included in such systems: From: Harald Welte <laforge () gnumonks org> Subject: security advisory linux 2.4.x ip_conntrack_irc Date: Wed, 27 Feb 2002 15:02:50 +0100 To: bugtraq () securityfocus com Important security announcement of the netfilter project, 25 Feb 2002 (http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html). SUBJECT: IRC connection tracking helper module SUMMARY: IRC connection tracking opens unwanted ports SYSTEM: All Linux kernel versions from 2.4.14 to 2.4.18-pre8 SOLUTION: Apply attached patch CREDITS: Jozsef Kadlecsik <kadlec () netfilter org>, Harald Welte <laforge () netfilter org> The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0060 to this issue. Hope that helps. Thanks, Ron DuFresne On Wed, 27 Feb 2002, rod.marten () domail maricopa edu wrote:
Has anyone seen a comparison between various commercial Firewalls (Cisco, Checkpoint) and a linux IPfilter based firewall? With the exception of possible configuration errors, is the IPfilter as secure as a commercial firewall? Lastly, has anyone had experiences using such firewalls in large environments? I am looking at deploying a firewall based on RedHat Linux hardened with Bastille, Dell hardware, IPfilter, and fwBuilder for a configuration interface. thanks rod -- Rod Marten Security Administrator Maricopa Community Colleges rod.marten () domail maricopa edu (480) 731-8745 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Linux IPFilter Paul D. Robertson (Mar 01)
- Re: Linux IPFilter rod.marten () domail maricopa edu (Mar 01)
- Re: Linux IPFilter George Ross (Mar 04)
- <Possible follow-ups>
- Re: Linux IPFilter R. DuFresne (Mar 01)
- Re: Linux IPFilter Les Barstow (Mar 01)
- Re:Re: Linux IPFilter mb_lima (Mar 01)