----- Original Message ----- From: "Magnus Sundberg" <[EMAIL PROTECTED]> To: "Peter Robb" <[EMAIL PROTECTED]> Sent: Tuesday, November 04, 2003 4:49 PM Subject: Re: Firewall Startup Configuration files
> Peter Robb wrote: > > Agreed, but what's the timing for loading the rules and bringing up the > > interfaces... > > I refer rules first and interfaces next. Then the routing is also after the > > rules... > > > > I think the whole question is whether to put some kind of filtering in > > place before > > the firewall goes live. > > Even bringing up local interfaces after the external is live and working... > > Would that make more sense? > > > > Regards, > > Peter. > > > > > > Hi again, > Well this is my opinion on how to run a linux firewall, as well > as most linux servers. > > 1. Make a plain simple, stupid, no frills installation. > 2. Change a minimum of configuration files and document these > > This puts a lot of restrictions on how much you can change the > startup script, thats the origin of my first question. > > I beleive it is quite easy to configure your firewall in the > first place, but you run into quite a lot of trouble when you > need to upgrade it. > I want to install and configure once and somewhat forget. > It has been a royal pain to upgrade my current RedHat firewall > with iptables and kernel security patches. I don't believe anyone will ever get away from that problem.. If you do a kernel you need to reboot.. And maybe recompile kernel modules to match... > About bringing up interfaces in the correct order, I ran into > trouble with loading filter rules earlier with the interfaces > shut down, I had some problem with the RedHat startup files. I have had problems with iptables scripts that are reading variables that only exist after the interfaces/routing is up, so I don't use them any more. I like my rules up earlier than that.. > I believe that all your applications that reside on the firewall > shall be secure, or at least updated within a day from a security > alert. This will protect us from everybody except a few that are > impossible to stop anyway. > With secure applications will your firewall be quite secure > anyway during the brief period from the start of the interfaces > to the loading of the firewall rules. Yes, but once it may happen that there is a problem with one interface or service starting which can make this delay a very long time... > By the way NAT and DNAT does not protect you from evil neighbours > at your ISP. One of my internal networks was earlier 192.168.1.0/24. > An evil neighbour can send a source routed package to my gateway > further on to one of my internal machines... > No the ISP does not filter out these addresses, because it is not > possible in their DSL equipment. That is what the reverse path filter is for, rp_filter, in your /etc/sysctl.conf file > By the way, I have not that big contact area into people running > firewalls etc. But I must admit, that if you keep your computers > updated according to latest patchlist, I have only heard > anectdotal stories of cracked computers, more like the > academical, "it is still possible" > Is this opinion correct? Not so correct... Most admins would like to believe they are up to date, but we can only be as good as the software. A buffer overflow is still a problem no matter how good we are at making firewall rules. That's why Hogwash was started, to be an inline filter checking for "un-normal" activity. But that's extra work too... How often do you scan log files? Regards, Peter.
