Best firewall gateway version of Linux ?
Alex Satrapa
grail at goldweb.com.au
Tue Jan 15 15:59:03 EST 2002
On Tuesday, January 15, 2002, at 02:41 , Simon Fowler wrote:
> You /can/ put services on your firewall without compromising it's
> security seriously: just don't put unnecessary services on, and make
> sure you not only pick secure implementations, but keep them up to
> date. You also need to be sure you've thought about the risks: is
> the added convenience worth the risks? Is this necessary, or just a
> nice sounding option?
Just as a heads-up: I have a monitor attached to my firewall box, so
that any time ipchains logs rejects, they pop up on the monitor. It
really grabs my attention, because most of the time the monitor is
blanked, then suddenly it flares up white on black saying "OI! Someone
tried to do something silly!". But I digress.
I get about 4 warnings per minute of people trying to connect to various
services on my machine, including:
- 25 (smtp)
- 80 (http)
- 111 (sunrpc/portmapper)
- 513 (rwho)
- 49158 (haven't a clue - possibly a traceroute?)
These are connections from people who have no business trying to connect
to services on my ADSL connection. Sometimes I'm tempted to run a web
server on the firewall, just so I can log what the HTTP connections are
trying to do - perhaps infect my Linux/Apache box with Code Red or Nimda?
> Which probably all seems like massive overkill for a home system,
> and maybe it is - but you should make that assessment after thinking
> about it, not by just falling into it by default.
At the very least, a masquerading or NAT firewall with no services means
that the only ways to crack the system are:
- Breaking the networking/NAT layers of the firewall
- Trojan warez
- e-mail munitions (trojans, virus infected executables, client
exploits)
- Social engineering
So you're relatively safe from the Script Kiddies, or even strangers who
don't know how dangerous it is to connect a Windows box to the Internet.
More information about the linux
mailing list