[ale] stateful firewall?

Denny Chambers bugfixer at bellsouth.net
Wed Oct 17 23:14:20 EDT 2001


Here is an article by ZDNet titled "Netfilter and iptables: Stateful
firewalling for Linux" maybe this will answer some of your questions.

http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2817396,00.html

Denny Chambers
Linux Java Engineer

         __
        / /    __  _  _  _  _ __  __
       / /__  / / / \// //_// \ \/ /
      /____/ /_/ /_/\/ /___/  /_/\_\
      ...for IQs GREATER than 98...

> -----Original Message-----
> From: Mark [mailto:mph at bravo-64-128-248-9.telocity.com]On Behalf Of Mark
> Hurley
> Sent: Wednesday, October 17, 2001 8:53 PM
> To: ale at ale.org
> Subject: Re: [ale] stateful firewall?
>
>
> On Wed, Oct 17, 2001 at 11:15:38AM -0700, Bao C. Ha wrote:
> >
> > >
> > >
> > > I've been working for the past day or so on setting up
> > > ipchains to use as my company's firewall.  Then the
> > > one of our senior IT guys came by and said "Linux
> > > boxes don't make firewalls.  They make good proxies,
> > > but not firewalls.  Linux has no stateful firewalls".
> >
> > Wow!  So tell me what do you need to do from a stateful
> > firewall that Ipchains cannot provide.  A lot of time,
> > stateful firewall is just a buzz/FUD marketing word.
> > I would ask for clarification on the requirements that
> > does utilize a stateful firewall.
>
> Agree, if your senior IT guy would like to talk about the firewall, I
> would be more than happy to eat a free lunch.
>
> > > I know in Bob Toxen's book it's mentioned that the 2.4
> > > kernel provides a stateful firewall capability called
> > > NETFILTER.  Has anyone had any experience with this?
> > > Good/bad?  Is it stable enough to use in a production
> > > environment?
> >
> > Yes! Iptables/netfilter can do banging job as a stateful
> > firewall.  It works great.  Just make sure that you use
> > the most recent one.  There is a security hole in the
> > ip_conntrack_ftp in April, I think.
>
> If you would like to read more on that security flaw check out one of
> the links.  In short, it affected kernels 2.4.3 and below.  A patch is
> posted, but I would opt for one of the more recent kernels.
>
> Ohh links...
>
> http://netfilter.samba.org/security-fix/index.html
>  -- or --
> http://www.tempest.com.br/advisories/01-2001.html
>
> > > If it is stable enough, we have installed RH 7.1,
> > > which uses the 2.4, so we're good to go.  However, the
> > > IT guy also seems to think that all linux
> > > distributions have too many holes (with the exception
> > > of the NSA's distribution, which he mentioned in
> > > passing).  It was my impression that I could disable
> > > pretty much every service on the box (with the
> > > exception of those that *have* to be running to
> > > function as a firewall) and we'd be pretty secure.  Is
> > > this not the case?
> >
> > I build firewalls from scratch.  Sometimes I use Slackware
> > or Debian and strip it to the bare minimum.
> >
> > The answer to your question is YES, with reservations.
> > That includes any Unices, Solaris/AIX/HPUX.
>
> Agreed (ouch blanket statement?)  For clarification, I agree ANY OS
> can be made more secure.  Goes along with the house/windows/door
> thing, when you buy a house are you sure it is locked and all
> windows are closed? As with any OS, comes responsibility.  Not at just
> installing a quick fix to alleviate all your ailments, but in having a
> mature Net Admin. who is willing to be anal. (can we say that on air?)
>
> As many would point out some OS's are more secure by default than
> others, including "web servers" (pun intended).
>
> Mark Hurley
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list