The debate regarding firewalls on Linux sprung out of a request for as to
whether they should have a firewall if they are on-line most of the day with a
cable modem. I believe they should, and given the *current* capabilities of
various OSes they shouldn't choose Linux 2.2.x (the latest stable kernel) if
they wish to be certain of performing this operation efficently or reliably.
Personally I'd recommend using an OpenBSD 2.7 system with ipfilter (because
it's a stable kernal release with support for the excellent bpf). Run this on
an old Pentium machine, and run a proxy such as squid on you home PC purely to
speed things along and put in some rules to prevent the kiddies from seeing
Plop in one of his hardcore donkey porn roles.
Application proxies allow for easy management of the application protocol,
whilst stateful firewalls allow for easy management of TCP/IP. Always tackle
the lower level problem first - use a stateful inspection firewall. It's
surpirsing how many networks don't use any form of stateful or simple packet
inspection firewalls and rely soley on proxies - hence the hugh number of scans
& abuses of proxy servers by script kiddies.
And just to fuel the fire of debate further...
The SOCK_PACKET facilities provided by the *current* *stable* Linux 2.2 kernel
are meant to be  highly inadequate, as one syscall per-packet is required,
which quite seriously limits the rate at which packets can be sniffed. Although
Alexy Kuznetsov  (author of iproute2) claims that this isn't true, and just
marketing by NFR. So who do you listen to?
Well one thing is certain and that is the current filtering capabilities are
changing with the *new* as yet *unstable* kernels 2.3/2.4 in the form of
netfilter & IP Tables . In theory the new TurboPacket facility is much
better than bpf, but until it's operating within a stable kernel it should not
be considered for any production firewall... Yes even a home grown one -
because you are adding risk to an area from which you are trying to remove
Dermot Hanley, Systems & Network Administrator
Irish Times New Media - http://www.ireland.com
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!