Here is my odd question for the day:
We are looking at a firewall solution for a customer. We can provide a Nokia
Checkpoint box, but the client is (obviously) concerned about the cost. We
could also provide our own server and use the respective BSD or Linux
Now I can already hear the screams of "BSD" from most of this list.
Certainly this seems to be what BSD was made for. :)
However, the client will be running a number of other linux application
servers (SuSe). My concern is that they will balk at running yet another
As for ipchains vs iptables, my preference is for iptables as I find them
easier to configure and more powerful, and it seems that a lot of the early
bad behaviour has been fixed.
My problem is that I have never had to manage a firewall in anger. So I am
hoping the more experienced members of this list will be able to provide
suitable examples about which approach is best.
Assume the customer has 30 clients with 2 servers in the DMZ and an ADSL
connection with 1 public static IP address. (Not the case, but close enough
not to matter.)
I would configure the firewall to use stateful connections - i.e. any
connection from behind the firewall can go out, but no incoming connections
can be established except to known ports. (www, secure www, smtp, secure
My understanding is that a bad firewall configuration (and not installing
patches) is much more likely to lead to a compromise than the choice of
technology. Please feel free to correct this perception.
And finally: there may be some work in this for a professional security
expert. We would supply and install the firewall, but would be interested in
having an unrelated third party review the installation including basic
penetration testing. Please mail me off list with a description of rates and
services if interested.
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!