Best firewall gateway version of Linux ?

Simon Fowler simon at himi.org
Tue Jan 15 14:41:50 EST 2002


To add a little to the previous post . . . 

On Tue, Jan 15, 2002 at 01:48:01PM +1100, Sam Couter wrote:
> I'll give you a quick tip that will probably start a holy war:
> sendmail is notorious for its security problems.
> 
The nice thing about sendmail isn't sendmail, it's the various
replacements that are available, which are vastly better in (almost)
every way . . . 

My preferred option is postfix (http://www.postfix.org): written by
the guy that wrote tcpwrappers and SATAN. It's nice and simple to
configure, secure, and fast, and it's a plugin replacement for most
sendmail setups.

The paranoid option is qmail (local mirror is at
http://qmail.planetmirror.com/top.html): written by the (in)famous
Dan Bernstein, a crypto and computer security researcher. qmail is
rather fiddly to set up, but it's fast and /extremely/ secure: the
current version has been out for several years, and hasn't seen any
bugs at all. If you're paranoid and you need to have a mail gateway
on your firewall, qmail is probably your best option . . . 

There are other sendmail replacements out there, with various
qualities and so forth - these two are the ones I've had experience
with. 

You /can/ put services on your firewall without compromising it's
security seriously: just don't put unnecessary services on, and make
sure you not only pick secure implementations, but keep them up to
date. You also need to be sure you've thought about the risks: is
the added convenience worth the risks? Is this necessary, or just a
nice sounding option? 

A final note: security isn't a state, it's a process - you can't be
secure just sitting back and letting things lie. A new exploit might
come out tomorrow, making your currently secure system an open book
to any cracker out there. You need a process to keep your systems up
to date, to detect possible breakins, minimise any harm from them,
and recover to a known secure state afterwards . . . 

Which probably all seems like massive overkill for a home system,
and maybe it is - but you should make that assessment after thinking
about it, not by just falling into it by default.

Simon

-- 
PGP public key Id 0x144A991C, or ftp://bg77.anu.edu.au/pub/himi/himi.asc
(crappy) Homepage: http://bg77.anu.edu.au
doe #237 (see http://www.lemuria.org/DeCSS) 
My DeCSS mirror: ftp://bg77.anu.edu.au/pub/mirrors/css/ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020115/e18a7cad/attachment.bin


More information about the linux mailing list