What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.?
I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: > Imo iptables is a reasonably good stateful firewall and is fine in > most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > > One example for consideration is a cisco packet filter (acls) that > may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > > That said, I use only iptables to filter my home network and either > it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > > Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]