[svlug] Firewalls?

Skip Evans skip at bigskypenguin.com
Tue Jan 23 11:30:58 PST 2007

Can you remove the hard drive completely from the 
box? Or is that unnecessary. Just leave it in 
there and run from the CD.

John Conover wrote:
> Skip Evans writes:
>>So I started thinking about firewalls and was told 
>>that a simple Debian box running IP tables might 
>>be a solution, but I need to educate myself I'm 
>>So what I'd like to know is what are some good 
>>reading materials for a newbie to firewalls, and 
>>while studying that, what kind of configuration 
>>should I look into?
> Your idea is a good one.
> For a firewall/router box, I tend to prefer a live CD or live floppy,
> and no HD, because there is less places for an I-Vandal to write root
> kits, etc.
> I have used both
> http://www.coyotelinux.com/products.php?Product=coyote and
> http://www.zelow.no/floppyfw/index.html, which is my favorite-YMMD,
> (but there are a lot more, Steve Hindle prefers
> http://leaf.sourceforge.net/, for example, and,
> http://www.freesco.org/ is liked by the Aussies,
> http://www.sentryfirewall.com/ is still available-but no longer
> supported, but http://www.devil-linux.org/home/index.php is, etc.)
> See http://www.johncon.com/john/knoppix/ for using Coyote Linux on a
> 90 Mhz. Pentium I with 16 MB RAM, and no HD. For a starter iptables
> script, http://www.johncon.com/john/knoppix/iptables.txt might work
> for you, but its pretty aggressive about not letting stuff through
> from the Internet, (i.e., no external ssh, etc.) Actually, the Coyote
> Linux and floppyfw rules that come on the floppy images are quite
> adequate with no modification.
> Or, if you don't want to build your own out of a depreciated PC, you
> can buy a LinkSys router for under a hundred bucks, which is pretty
> much the same thing, (e.g., stateful NAT, which is the important
> thing.)
> Above all, no matter which way you go, scan your own ports with
> nmap(1) (use the advanced scan types, which will require having root
> privileges on a machine that is connected to the Internet, but not on
> your net-or have someone on this list do it for you.) If you can't
> arrange that, then use https://grc.com/x/ne.dll?bh0bkyd2 to make sure
> you don't have anything open that you don't want-the "Passed" sign
> should show on the lower 1024 ports, (at least,) of your
> router/firewall box.
>          John
> BTW, the live CDs can be very helpful, too. Boot a machine on your
> network to a live CD, and change the IP address from dynamic to
> something not in your IP address space, and scan your own network. You
> should be running firewalls on all machines on your network, (perhaps
> a little more permissive-perhaps stateful NAT only,) and verify that
> all machine's firewalls hold against a perimeter penetration. Using
> nmap(1), the whole thing takes about 5 minutes.

Skip Evans
Big Sky Penguin, LLC
61 W Broadway
Butte, Montana 59701
Check out PHPenguin, a lightweight and
versatile PHP/MySQL development framework.

More information about the svlug mailing list