Re: [LINUX.ORG.MT] iptables

Tue, 22 Mar 2005 18:18:31 +0100 (CET)

iptables is secure in that it is built into the kernel and thus more difficult to bypass. On the other hand it does not differentiate between applications. However for a 50+ PC scenario I'd have a dedicated firewall/gateway PC. You could then set up your computers so that all mail is sent via a dedicated mail server, using authentication for smtp, and the firewall would only allow that server to do outgoing smtp, rather than allowing every PC to send mail directly. Having said that I haven't checked out whether there are any firewalls that can differentiate between applications, or possibly special versions of the kernel (such as the selinux patches) that can do the trick. 

Steve Camilleri wrote:


Hi all,
I may not be up to scratch but I've been reading that an IPtables firewall is classified as a "hardware firewall" and has a severe disadvantage in that it does not distinguish traffic on the application level, and this could lead to malicious traffic from within. How true is this? For example one inadvertently downloads a trojan by mail on allowed port 25. This program can then access the net via port 25 or 80 etc.. and spread itself etc.. Is it possible to make iptables restrict which applications can use a specified port? XP with SP2 (a "software firewall") can do this so I'm sure that there must be a way around with linux... and with hype about products like this 
http://www.checkpoint.com/products/interspect/index.html
...are they really needed??
Bil Malti, if my company needs to implement a good security system for 50+ PCs, can we feel safe-ish with a dual NIC Linux box in front, with a good set of iptables rules? Is this better/worse than a dedicated firewall/router box (tipo Linksys VPN firewall etc..)?? Thanks guys 
Steve

------------------------------------------------------------------------
Express yourself instantly with MSN Messenger! MSN Messenger <http://g.msn.com/8HMAEN/2737??PS=47575> Download today it's FREE! 

------------------------------------------------------------------------

_______________________________________________
MLUG-list mailing list
MLUG-list@linux.org.mt
http://mailserv.megabyte.net/mailman/listinfo/mlug-list

Reply via email to