Re: Good firewall ?

From: Glynn Clements (glynn@sensei.co.uk)
Date: Sat Jan 15 2000 - 12:36:05 EST


jj@spiderentertainment.com wrote:

> Can someone suggest a good free firewall solution for BSD or Linux ?

By "firewall", are you talking about a proxy server (which forwards
the data at the application layer), or a filtering router (which
forwards it at the IP layer)?

> This is what I got so far:
>
> I looked at the IP-chains, looking at the source code now. I guess what
> I am looking for is something that is very fast, since we do run some
> high volume sites.

ipchains has the advantage of being part of the stock Linux kernel,
and hence has a large user base. If you're looking for IP layer
filtering, then ipchains is a reasonable choice.

> Second issue I would like to explore the possibility (if it does exist)
> to put a special filter on the port 80 where the HEAD in HTTP is
> disallowed.

This is best done within the HTTP daemon itself; it isn't practical to
do this at the IP layer. AFAICT, this should be straightforward with
Apache.

> Third issue: I hate ping flooders, they don't do anything but use your
> bandwidth. Still I would like to protect the machine against that, so it
> is not busy trying to respond to bogus ping floods.

Filtering out ICMP echo-request packets is straightforward with
ipchains. However, there are plenty of other (and more effective) DoS
attacks apart from ping flooding.

> Fifth: A firewall that is fully configureable, meaning it would be hard
> for the folks to tell what firewall it is.

Ensure that only the bare minimum of traffic originates from the
firewall.

> Tho this will prevent 90% of DoS, and 90% of hack attempts.

Don't count on it. If you provide any kind of service to the Internet
at large, there remains the risk of it being abused. You can only do
so much within a firewall.

-- 
Glynn Clements <glynn@sensei.co.uk>

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu



This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:30 EST