[svlug] Firewalls?

Michael Long 2e764 at mikesoffice.org
Tue Jan 23 11:07:36 PST 2007 

John Conover wrote:
> Skip Evans writes:
>> So I started thinking about firewalls and was told 
>> that a simple Debian box running IP tables might 
>> be a solution, but I need to educate myself I'm 
>> afraid.
>>
>> So what I'd like to know is what are some good 
>> reading materials for a newbie to firewalls, and 
>> while studying that, what kind of configuration 
>> should I look into?
>>
> 
> Your idea is a good one.
> 
> For a firewall/router box, I tend to prefer a live CD or live floppy,
> and no HD, because there is less places for an I-Vandal to write root
> kits, etc.

If you aren't looking for NAT I personally like the layer2 firewalls. I 
was running a bsd layer2 firewall for years until the HD's gave out. I 
would connect to it via a console cable. The thing was great and nobody 
could break into it :)

Mike


> 
> I have used both
> http://www.coyotelinux.com/products.php?Product=coyote and
> http://www.zelow.no/floppyfw/index.html, which is my favorite-YMMD,
> (but there are a lot more, Steve Hindle prefers
> http://leaf.sourceforge.net/, for example, and,
> http://www.freesco.org/ is liked by the Aussies,
> http://www.sentryfirewall.com/ is still available-but no longer
> supported, but http://www.devil-linux.org/home/index.php is, etc.)
> 
> See http://www.johncon.com/john/knoppix/ for using Coyote Linux on a
> 90 Mhz. Pentium I with 16 MB RAM, and no HD. For a starter iptables
> script, http://www.johncon.com/john/knoppix/iptables.txt might work
> for you, but its pretty aggressive about not letting stuff through
> from the Internet, (i.e., no external ssh, etc.) Actually, the Coyote
> Linux and floppyfw rules that come on the floppy images are quite
> adequate with no modification.
> 
> Or, if you don't want to build your own out of a depreciated PC, you
> can buy a LinkSys router for under a hundred bucks, which is pretty
> much the same thing, (e.g., stateful NAT, which is the important
> thing.)
> 
> Above all, no matter which way you go, scan your own ports with
> nmap(1) (use the advanced scan types, which will require having root
> privileges on a machine that is connected to the Internet, but not on
> your net-or have someone on this list do it for you.) If you can't
> arrange that, then use https://grc.com/x/ne.dll?bh0bkyd2 to make sure
> you don't have anything open that you don't want-the "Passed" sign
> should show on the lower 1024 ports, (at least,) of your
> router/firewall box.
> 
>          John
> 
> BTW, the live CDs can be very helpful, too. Boot a machine on your
> network to a live CD, and change the IP address from dynamic to
> something not in your IP address space, and scan your own network. You
> should be running firewalls on all machines on your network, (perhaps
> a little more permissive-perhaps stateful NAT only,) and verify that
> all machine's firewalls hold against a perimeter penetration. Using
> nmap(1), the whole thing takes about 5 minutes.
>

More information about the Svlug mailing list