LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] ipfw vs ipchains vs iptables

[ILUG] ipfw vs ipchains vs iptables

Matthew French mfrench42 at yahoo.co.uk
Mon Jul 29 15:50:56 IST 2002 

Here is my odd question for the day:

We are looking at a firewall solution for a customer. We can provide a Nokia
Checkpoint box, but the client is (obviously) concerned about the cost. We
could also provide our own server and use the respective BSD or Linux
firewalling functionality.

Now I can already hear the screams of "BSD" from most of this list.
Certainly this seems to be what BSD was made for. :)

However, the client will be running a number of other linux application
servers (SuSe). My concern is that they will balk at running yet another
operating system.

As for ipchains vs iptables, my preference is for iptables as I find them
easier to configure and more powerful, and it seems that a lot of the early
bad behaviour has been fixed.

My problem is that I have never had to manage a firewall in anger. So I am
hoping the more experienced members of this list will be able to provide
suitable examples about which approach is best.

Assume the customer has 30 clients with 2 servers in the DMZ and an ADSL
connection with 1 public static IP address. (Not the case, but close enough
not to matter.)

I would configure the firewall to use stateful connections - i.e. any
connection from behind the firewall can go out, but no incoming connections
can be established except to known ports. (www, secure www, smtp, secure
imap, ftp)

My understanding is that a bad firewall configuration (and not installing
patches) is much more likely to lead to a compromise than the choice of
technology. Please feel free to correct this perception.

And finally: there may be some work in this for a professional security
expert. We would supply and install the firewall, but would be interested in
having an unrelated third party review the installation including basic
penetration testing. Please mail me off list with a description of rates and
services if interested.

Thanks again.

- Matthew


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell