[svlug] Firewalls?
John Conover
conover at rahul.net
Tue Jan 23 11:01:39 PST 2007
Skip Evans writes:
>
> So I started thinking about firewalls and was told
> that a simple Debian box running IP tables might
> be a solution, but I need to educate myself I'm
> afraid.
>
> So what I'd like to know is what are some good
> reading materials for a newbie to firewalls, and
> while studying that, what kind of configuration
> should I look into?
>
Your idea is a good one.
For a firewall/router box, I tend to prefer a live CD or live floppy,
and no HD, because there is less places for an I-Vandal to write root
kits, etc.
I have used both
http://www.coyotelinux.com/products.php?Product=coyote and
http://www.zelow.no/floppyfw/index.html, which is my favorite-YMMD,
(but there are a lot more, Steve Hindle prefers
http://leaf.sourceforge.net/, for example, and,
http://www.freesco.org/ is liked by the Aussies,
http://www.sentryfirewall.com/ is still available-but no longer
supported, but http://www.devil-linux.org/home/index.php is, etc.)
See http://www.johncon.com/john/knoppix/ for using Coyote Linux on a
90 Mhz. Pentium I with 16 MB RAM, and no HD. For a starter iptables
script, http://www.johncon.com/john/knoppix/iptables.txt might work
for you, but its pretty aggressive about not letting stuff through
from the Internet, (i.e., no external ssh, etc.) Actually, the Coyote
Linux and floppyfw rules that come on the floppy images are quite
adequate with no modification.
Or, if you don't want to build your own out of a depreciated PC, you
can buy a LinkSys router for under a hundred bucks, which is pretty
much the same thing, (e.g., stateful NAT, which is the important
thing.)
Above all, no matter which way you go, scan your own ports with
nmap(1) (use the advanced scan types, which will require having root
privileges on a machine that is connected to the Internet, but not on
your net-or have someone on this list do it for you.) If you can't
arrange that, then use https://grc.com/x/ne.dll?bh0bkyd2 to make sure
you don't have anything open that you don't want-the "Passed" sign
should show on the lower 1024 ports, (at least,) of your
router/firewall box.
John
BTW, the live CDs can be very helpful, too. Boot a machine on your
network to a live CD, and change the IP address from dynamic to
something not in your IP address space, and scan your own network. You
should be running firewalls on all machines on your network, (perhaps
a little more permissive-perhaps stateful NAT only,) and verify that
all machine's firewalls hold against a perimeter penetration. Using
nmap(1), the whole thing takes about 5 minutes.
--
John Conover, conover at rahul.net, http://www.johncon.com/
More information about the Svlug
mailing list