Best firewall gateway version of Linux ?

[Alex Satrapa]

On Tuesday, January 15, 2002, at 02:41 , Simon Fowler wrote:

> You /can/ put services on your firewall without compromising it's
> security seriously: just don't put unnecessary services on, and make
> sure you not only pick secure implementations, but keep them up to
> date. You also need to be sure you've thought about the risks: is
> the added convenience worth the risks? Is this necessary, or just a
> nice sounding option?

Just as a heads-up:  I have a monitor attached to my firewall box, so 
that any time ipchains logs rejects, they pop up on the monitor.  It 
really grabs my attention, because most of the time the monitor is 
blanked, then suddenly it flares up white on black saying "OI! Someone 
tried to do something silly!".  But I digress.

I get about 4 warnings per minute of people trying to connect to various 
services on my machine, including:
  - 25 (smtp)
  - 80 (http)
  - 111 (sunrpc/portmapper)
  - 513 (rwho)
  - 49158 (haven't a clue - possibly a traceroute?)

These are connections from people who have no business trying to connect 
to services on my ADSL connection.  Sometimes I'm tempted to run a web 
server on the firewall, just so I can log what the HTTP connections are 
trying to do - perhaps infect my Linux/Apache box with Code Red or Nimda?

> Which probably all seems like massive overkill for a home system,
> and maybe it is - but you should make that assessment after thinking
> about it, not by just falling into it by default.

At the very least, a masquerading or NAT firewall with no services means 
that the only ways to crack the system are:
  - Breaking the networking/NAT layers of the firewall
  - Trojan warez
  - e-mail munitions (trojans, virus infected executables, client 
exploits)
  - Social engineering

So you're relatively safe from the Script Kiddies, or even strangers who 
don't know how dangerous it is to connect a Windows box to the Internet.