On Wed, 28 Mar 2001, Doug Allbright spewed into the ether:
> I have personal firewalls on all but the DC and Exchange server machines. I
I sure hope your IIS is patched to the latest.
> want to set up a real firewall between the internet and my LAN. I can not
> afford to buy a firewall currently. However I have a couple of spare Pentium
> II machines that I install Linux on and then use a Linux firewall. Can
> anyone suggest a good Linux firewall that I could download off the Internet
Hmmm, how familiar are you with Linux? If not familiar with unices, I
would suggest you go in for a Windows based solution (try zonealarm or
some other free firewall, not the best, but will work).
If you have some familiarity with unices, or have access to a few
friends in a local LUG, call them in to build a Linux firewall. One
book that I would recommend is "Building Internet Firewalls" from
O"Reilly and Associates.
Here is one way of hardening your system:
Install as little as possible.
Whichever distro you choose (debian/redhat/Suse/immunix/.....), do a
custom install, strip out as much as you can.
Install all necessary patches, only for the software you have installed.
Do *not* install a compiler (and try to install as few interpreters as
possible).
Install ssh, do not install telnet.
If you go for Redhat, I suggest you ditch their ftp server (Decide if
you need an ftp server there, I sure wouldn't want it on my firewall).
Then set a policy of DENY
For kernel 2.2 thats
#/sbin/ipchains -P input DENY
#/sbin/ipchains -P output DENY
#/sbin/ipchains -P forward DENY
#Create your rules
#Assumes that 127.0.0.1 is your loopback address, and trusted
/sbin/ipchains -A input -s 127.0.0.1 -i lo -j ACCEPT
#Similar rule for the ethernet card
#Set your forwarding rules, maybe MASQ
#Now set up rules for every service you want outsiders to access.
#Last rule, deny everything again, and log
/sbin/ipchains -s 0/0 -d <your ip address> -j DENY -l
#Maybe unset policies for outbound, you may want to allow output from
#all ports, or only from some.
#If from all
#sbin/ipchains -P output ACCEPT
#Else, define rules for the output chain.
> for free, or freeware based Windows firewall. I want to learn about
> firewalls as well as protect my systems. If this is a bad approach to
> the problem or if you have a better suggestion I am open to it.
This is a good approach. You will probably want to check out Bugtraq
and other security lists as well.
Devdas Bhagat
--
Laundry is the fifth dimension!! ... um ... um ... th' washing machine
is a black hole and the pink socks are bus drivers who just fell in!!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
