Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: > One thing they forgot to mention was that they used Exchange for > email. That means instead of running exim, I will have to forward > SMTP & POP traffic to their Exchange server. The Exchange server > will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but "only" as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgpCWb3BeQjTl.pgp Description: PGP signature
Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: > One thing they forgot to mention was that they used Exchange for > email. That means instead of running exim, I will have to forward > SMTP & POP traffic to their Exchange server. The Exchange server > will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but "only" as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgp0.pgp Description: PGP signature
Re: is iptables enough?
Thanks for all the responses to my iptables question. From what I read, it looks like iptables will be adequate protection for their setup. I went to see her again yesterday to start setting things up. One thing they forgot to mention was that they used Exchange for email. That means instead of running exim, I will have to forward SMTP & POP traffic to their Exchange server. The Exchange server will not be directly connected to the Internet. Their old Windows 2000 server was on the net 24/7 via a 768k DSL connection. It didn't have any of the MS patches or service packs. I am surprised that it was not hacked with all those Win 2K vulnerabilities out there. Their DSL modem (Speedstream) supposedly has a built-in firewall but the default rules is to let everything in so it wasn't much good. I will configure it to let in only HTTP, SMTP, POP and SSH. That will provide an additional layer of security. Not sure how useful it is though. I have been using a Debian Linux system at home to share my cable modem connection for several years. I run apt-get & logcheck on it and I will be doing the same for them. I am on the debian-security-announce list so I should be able to stay on top of things as far as Debian security updates are concerned. Funny ... when I first mentioned Linux, their first though was Redhat. To them, Redhat was synonymous with Linux :-) I had to spend a few minutes educating them that there is more to Linux than Redhat. At home the biggest intrusion attempts I get are fools trying to connect to the NetBIOS and HTTP ports. Lately I have been seeing an increase in activity on port 445. I found out from a Google search that port 445 is yet another Windows hole being exploited. For the hardware, all the systems I saw yesterday are extreme overkill for a server running only Apache. I didn't see any SCSI drives so I will use a pair of IDE drives configured for RAID-1. later jmb
Re: is iptables enough?
Thanks for all the responses to my iptables question. From what I read, it looks like iptables will be adequate protection for their setup. I went to see her again yesterday to start setting things up. One thing they forgot to mention was that they used Exchange for email. That means instead of running exim, I will have to forward SMTP & POP traffic to their Exchange server. The Exchange server will not be directly connected to the Internet. Their old Windows 2000 server was on the net 24/7 via a 768k DSL connection. It didn't have any of the MS patches or service packs. I am surprised that it was not hacked with all those Win 2K vulnerabilities out there. Their DSL modem (Speedstream) supposedly has a built-in firewall but the default rules is to let everything in so it wasn't much good. I will configure it to let in only HTTP, SMTP, POP and SSH. That will provide an additional layer of security. Not sure how useful it is though. I have been using a Debian Linux system at home to share my cable modem connection for several years. I run apt-get & logcheck on it and I will be doing the same for them. I am on the debian-security-announce list so I should be able to stay on top of things as far as Debian security updates are concerned. Funny ... when I first mentioned Linux, their first though was Redhat. To them, Redhat was synonymous with Linux :-) I had to spend a few minutes educating them that there is more to Linux than Redhat. At home the biggest intrusion attempts I get are fools trying to connect to the NetBIOS and HTTP ports. Lately I have been seeing an increase in activity on port 445. I found out from a Google search that port 445 is yet another Windows hole being exploited. For the hardware, all the systems I saw yesterday are extreme overkill for a server running only Apache. I didn't see any SCSI drives so I will use a pair of IDE drives configured for RAID-1. later jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Arnt some ICMP packets best to allow for effective routing and such? Josh Carroll wrote: There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ ATTACHMENT part 2 application/pgp-signature name=signature.asc -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: is iptables enough?
Arnt some ICMP packets best to allow for effective routing and such? Josh Carroll wrote: There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ ATTACHMENT part 2 application/pgp-signature name=signature.asc -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rp_filter (was Re: is iptables enough?)
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] writes:
>Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
>interface lo, and drop
>non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 >/proc/sys/net/ipv4/conf/${dev}/rp_filter
done
Much better than trying to put such stuff in iptables. This changes with
your routing tables, and you don't need to duplicate them.
--
Blars Blarson [EMAIL PROTECTED]
http://www.blars.org/blars.html
"Text is a way we cheat time." -- Patrick Nielsen Hayden
rp_filter (was Re: is iptables enough?)
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] writes:
>Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
>interface lo, and drop
>non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 >/proc/sys/net/ipv4/conf/${dev}/rp_filter
done
Much better than trying to put such stuff in iptables. This changes with
your routing tables, and you don't need to duplicate them.
--
Blars Blarson [EMAIL PROTECTED]
http://www.blars.org/blars.html
"Text is a way we cheat time." -- Patrick Nielsen Hayden
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
* Adrian Phillips <[EMAIL PROTECTED]> [030321 09:21]: > Um, would you be so kind as to explain the "deluding yourself" part or > point to some information that does so ? From what I have read on the > net using google a good number of people use drop to help with port > scanning (ie. port scanning will take a lot longer with drop then > reject), and also help with DoS, whereas reject is deemed more polite. A person using a scanner slowed down by drop-rules will in most cases be no danger. (Why should a scanner wait for an answer before probing the next port?) To ease DoS it needs quite large ratio downstream/upstream as otherwise DoSing your downstream works anyway. (And is more simple, as packages can be larger). With droping packages one normaly only shoot oneself foot. Configuration errors or typing errors do not cause proper error messages but strange behaviour. It's like renaming 'su' to 'querz': One might hit something under the foot, but that's not worth the foot. If I were a black hat, I would propably attack a computer droping things first, as it just looks more amateur-like. That all said a drop-rule can in some corner cases be useful, too. Dropping everything sent not directly to the machine in a net with some crazy broadcasters can reduce traffic a bit and only making ping unuseable. Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin)
RE: is iptables enough?
> [EMAIL PROTECTED]:~# iptables-save
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *nat
> :PREROUTING ACCEPT [17038:1364291]
> :POSTROUTING ACCEPT [1561:131055]
> :OUTPUT ACCEPT [7155:558179]
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
> --to-ports 4
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT
> --to-destination 192.168.1.17
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT
> --to-destination 192.168.1.17
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *filter
> :INPUT DROP [1323:393571]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [399596:206648275]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i ! ppp0 -j ACCEPT
> -A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit
> 10/min -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
> icmp-port-unreachable
> -A INPUT -p tcp -m tcp --dport 4 -j ACCEPT
> -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP
> -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:INPUT "
> -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT
> -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:FORWARD "
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
You should DROP (REJECT? :-) ) packets with state INVALID at the start of
{INPUT/FORWARD/OUTPUT}.
Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
interface lo, and drop
non-routable stuff coming from public interface.
Also, I do not really like the ACCEPT ALL FROM ! ppp0 style. It certainly
works on your config,
but will have to be rewritten (at least, looked at carefully) whenever you
add an interface.
I prefer to explicitely name existing interfaces and their associated
networks.
Re: is iptables enough?
On Thu, 2003-03-20 at 22:10, Vineet Kumar wrote: > * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 > PST]: > > Set it up to block everything and then selectively open ports until > > everything works as desired. Depending on the applications it may be a > > good idea to REJECT auth (identd) packets instead of dropping them - > > some applications have long timeouts. > > IMO, it's a good idea to REJECT instead of DROPping most packets. If > you think DROPping makes you invisible, you're deluding yourself. I > generally end my INPUT chain with I'm not invisible (you can even ping most of my machines). - DROP takes less bandwidth than REJECT. - DROP slows down nimda/code-red style trojans as they wait for the connect timeout, so it's actually friendly to your neighbours. back when code-red was all new and shiny, I got > 10 connects per second, and that was just a 256/64k cable link. while we're at it, people may want to read and comment on my config (way OT - so ignore it if you're not interested) ppp0 is the outside world (pppoe over eth1). Port 6346 is gnutella, port 11372 is pgp keyserver related (not hkp), thefirewall box runs a mailserver from the inside and a teergrube on 4 accessible from the outside. If you read the mail headers, you know which box it is, too. [EMAIL PROTECTED]:~# iptables-save # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *nat :PREROUTING ACCEPT [17038:1364291] :POSTROUTING ACCEPT [1561:131055] :OUTPUT ACCEPT [7155:558179] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 4 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT --to-destination 192.168.1.17 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 192.168.1.17 -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on Fri Mar 21 10:13:12 2003 # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *filter :INPUT DROP [1323:393571] :FORWARD DROP [0:0] :OUTPUT ACCEPT [399596:206648275] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! ppp0 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 4 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:INPUT " -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:FORWARD " COMMIT # Completed on Fri Mar 21 10:13:12 2003 -- vbi -- OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481 signature.asc Description: This is a digitally signed message part
Re: is iptables enough?
* Adrian Phillips <[EMAIL PROTECTED]> [030321 09:21]: > Um, would you be so kind as to explain the "deluding yourself" part or > point to some information that does so ? From what I have read on the > net using google a good number of people use drop to help with port > scanning (ie. port scanning will take a lot longer with drop then > reject), and also help with DoS, whereas reject is deemed more polite. A person using a scanner slowed down by drop-rules will in most cases be no danger. (Why should a scanner wait for an answer before probing the next port?) To ease DoS it needs quite large ratio downstream/upstream as otherwise DoSing your downstream works anyway. (And is more simple, as packages can be larger). With droping packages one normaly only shoot oneself foot. Configuration errors or typing errors do not cause proper error messages but strange behaviour. It's like renaming 'su' to 'querz': One might hit something under the foot, but that's not worth the foot. If I were a black hat, I would propably attack a computer droping things first, as it just looks more amateur-like. That all said a drop-rule can in some corner cases be useful, too. Dropping everything sent not directly to the machine in a net with some crazy broadcasters can reduce traffic a bit and only making ping unuseable. Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: is iptables enough?
> [EMAIL PROTECTED]:~# iptables-save
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *nat
> :PREROUTING ACCEPT [17038:1364291]
> :POSTROUTING ACCEPT [1561:131055]
> :OUTPUT ACCEPT [7155:558179]
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT
> --to-ports 4
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT
> --to-destination 192.168.1.17
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT
> --to-destination 192.168.1.17
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
> # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003
> *filter
> :INPUT DROP [1323:393571]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [399596:206648275]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i ! ppp0 -j ACCEPT
> -A INPUT -p udp -m udp --dport 123 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit
> 10/min -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
> icmp-port-unreachable
> -A INPUT -p tcp -m tcp --dport 4 -j ACCEPT
> -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP
> -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:INPUT "
> -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT
> -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG
> --log-prefix "iptables:FORWARD "
> COMMIT
> # Completed on Fri Mar 21 10:13:12 2003
You should DROP (REJECT? :-) ) packets with state INVALID at the start of
{INPUT/FORWARD/OUTPUT}.
Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
interface lo, and drop
non-routable stuff coming from public interface.
Also, I do not really like the ACCEPT ALL FROM ! ppp0 style. It certainly
works on your config,
but will have to be rewritten (at least, looked at carefully) whenever you
add an interface.
I prefer to explicitely name existing interfaces and their associated
networks.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: is iptables enough?
> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Friday 21 March 2003 08:46 > To: debian-security@lists.debian.org > Subject: Re: is iptables enough? > > > There are a couple of reasons why I use -j DROP > instead of -J REJECT. Firstly, sending responses to > packets your dropping can be bad, given a relatively > small upstream link. In theory, one could DoS you > sufficiently with an upstream equal or slightly better > than yours. That is not to say that the would-be > attacker couldn't just find a network that could > surpass your downstream as well, just pointing out > this drawback of -j REJECT. > > Secondly, while DROP'ing the packet doesn't make you > invisible, it does have some degree of value when > deterring people. If an attacker gets no response from > machine 1, but a tcp reject from matchine 2, I'm > willing to bet they'd persue machine 2 first. Let's > face it, if they want to find out if you're there or > running something on a port, they probably can with a > bit more effort anyway, but it might just make them > pass you by for an easier target. > > In general, I don't use -REJECT unless I'm worried > about being polite. And in most circumstances, > politeness isn't my goal ;) > > Josh I tend to agree and usually set my policies to DROP. One notable exeption is TCP dest port 113, which I prefer to REJECT, cause I don't like to wait for Auth timeouts when I login to IRC. Drawback of this : REJECTING some packets helps nmap detect your OS (nmap needs one open port and one REJECT for best results). Back to the policy, I guess setting it to REJECT or DROP is quite related to the use of your machine ; also you "probably" want to REJECT unauthorized packets that come from your intranet.
Re: is iptables enough?
> "Vineet" == Vineet Kumar <[EMAIL PROTECTED]> writes: Vineet> * Adrian 'Dagurashibanipal' von Bidder Vineet> <[EMAIL PROTECTED]> [20030320 06:39 PST]: >> Set it up to block everything and then selectively open ports >> until everything works as desired. Depending on the >> applications it may be a good idea to REJECT auth (identd) >> packets instead of dropping them - some applications have long >> timeouts. Vineet> IMO, it's a good idea to REJECT instead of DROPping most Vineet> packets. If you think DROPping makes you invisible, Vineet> you're deluding yourself. I generally end my INPUT chain Um, would you be so kind as to explain the "deluding yourself" part or point to some information that does so ? From what I have read on the net using google a good number of people use drop to help with port scanning (ie. port scanning will take a lot longer with drop then reject), and also help with DoS, whereas reject is deemed more polite. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]
Re: is iptables enough?
On Thu Mar 20, 11:27pm -0800, Josh Carroll wrote: > In general, I don't use -REJECT unless I'm worried > about being polite. And in most circumstances, > politeness isn't my goal ;) Just to throw in my two cents, for each ten million people that don't care, you've made one admin cry. :) pgp1wyy1ODhMU.pgp Description: PGP signature
Re: is iptables enough?
There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: > * Adrian 'Dagurashibanipal' von Bidder > <[EMAIL PROTECTED]> [20030320 06:39 PST]: > > Set it up to block everything and then selectively > open ports until > > everything works as desired. Depending on the > applications it may be a > > good idea to REJECT auth (identd) packets instead > of dropping them - > > some applications have long timeouts. > > IMO, it's a good idea to REJECT instead of DROPping > most packets. If > you think DROPping makes you invisible, you're > deluding yourself. I > generally end my INPUT chain with > > -p tcp -j REJECT --reject-with tcp-reset > -p udp -j REJECT --reject-with icmp-port-unreachable > -j REJECT --reject-with icmp-proto-unreachable > > Of course, different setups have different needs, > but I think this is > pretty good for most home configurations > > good times, > Vineet > -- > http://www.doorstop.net/ > -- > http://www.digitalconsumer.org/ > > ATTACHMENT part 2 application/pgp-signature name=signature.asc
Re: is iptables enough?
On Thu, 2003-03-20 at 22:10, Vineet Kumar wrote: > * Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: > > Set it up to block everything and then selectively open ports until > > everything works as desired. Depending on the applications it may be a > > good idea to REJECT auth (identd) packets instead of dropping them - > > some applications have long timeouts. > > IMO, it's a good idea to REJECT instead of DROPping most packets. If > you think DROPping makes you invisible, you're deluding yourself. I > generally end my INPUT chain with I'm not invisible (you can even ping most of my machines). - DROP takes less bandwidth than REJECT. - DROP slows down nimda/code-red style trojans as they wait for the connect timeout, so it's actually friendly to your neighbours. back when code-red was all new and shiny, I got > 10 connects per second, and that was just a 256/64k cable link. while we're at it, people may want to read and comment on my config (way OT - so ignore it if you're not interested) ppp0 is the outside world (pppoe over eth1). Port 6346 is gnutella, port 11372 is pgp keyserver related (not hkp), thefirewall box runs a mailserver from the inside and a teergrube on 4 accessible from the outside. If you read the mail headers, you know which box it is, too. [EMAIL PROTECTED]:~# iptables-save # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *nat :PREROUTING ACCEPT [17038:1364291] :POSTROUTING ACCEPT [1561:131055] :OUTPUT ACCEPT [7155:558179] -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 4 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 11372 -j DNAT --to-destination 192.168.1.17 -A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 192.168.1.17 -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on Fri Mar 21 10:13:12 2003 # Generated by iptables-save v1.2.7a on Fri Mar 21 10:13:12 2003 *filter :INPUT DROP [1323:393571] :FORWARD DROP [0:0] :OUTPUT ACCEPT [399596:206648275] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! ppp0 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 10/min -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m tcp --dport 4 -j ACCEPT -A INPUT -i ppp0 -p udp -m udp --dport 137 -j DROP -A INPUT -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:INPUT " -A FORWARD -i ! ppp0 -m state --state NEW -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 11372 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 6346 -j ACCEPT -A FORWARD -m limit --limit 20/hour --limit-burst 50 -j LOG --log-prefix "iptables:FORWARD " COMMIT # Completed on Fri Mar 21 10:13:12 2003 -- vbi -- OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481 signature.asc Description: This is a digitally signed message part
RE: is iptables enough?
> -Original Message- > From: Josh Carroll [mailto:[EMAIL PROTECTED] > Sent: Friday 21 March 2003 08:46 > To: [EMAIL PROTECTED] > Subject: Re: is iptables enough? > > > There are a couple of reasons why I use -j DROP > instead of -J REJECT. Firstly, sending responses to > packets your dropping can be bad, given a relatively > small upstream link. In theory, one could DoS you > sufficiently with an upstream equal or slightly better > than yours. That is not to say that the would-be > attacker couldn't just find a network that could > surpass your downstream as well, just pointing out > this drawback of -j REJECT. > > Secondly, while DROP'ing the packet doesn't make you > invisible, it does have some degree of value when > deterring people. If an attacker gets no response from > machine 1, but a tcp reject from matchine 2, I'm > willing to bet they'd persue machine 2 first. Let's > face it, if they want to find out if you're there or > running something on a port, they probably can with a > bit more effort anyway, but it might just make them > pass you by for an easier target. > > In general, I don't use -REJECT unless I'm worried > about being polite. And in most circumstances, > politeness isn't my goal ;) > > Josh I tend to agree and usually set my policies to DROP. One notable exeption is TCP dest port 113, which I prefer to REJECT, cause I don't like to wait for Auth timeouts when I login to IRC. Drawback of this : REJECTING some packets helps nmap detect your OS (nmap needs one open port and one REJECT for best results). Back to the policy, I guess setting it to REJECT or DROP is quite related to the use of your machine ; also you "probably" want to REJECT unauthorized packets that come from your intranet. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
> "Vineet" == Vineet Kumar <[EMAIL PROTECTED]> writes: Vineet> * Adrian 'Dagurashibanipal' von Bidder Vineet> <[EMAIL PROTECTED]> [20030320 06:39 PST]: >> Set it up to block everything and then selectively open ports >> until everything works as desired. Depending on the >> applications it may be a good idea to REJECT auth (identd) >> packets instead of dropping them - some applications have long >> timeouts. Vineet> IMO, it's a good idea to REJECT instead of DROPping most Vineet> packets. If you think DROPping makes you invisible, Vineet> you're deluding yourself. I generally end my INPUT chain Um, would you be so kind as to explain the "deluding yourself" part or point to some information that does so ? From what I have read on the net using google a good number of people use drop to help with port scanning (ie. port scanning will take a lot longer with drop then reject), and also help with DoS, whereas reject is deemed more polite. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Thu Mar 20, 11:27pm -0800, Josh Carroll wrote: > In general, I don't use -REJECT unless I'm worried > about being polite. And in most circumstances, > politeness isn't my goal ;) Just to throw in my two cents, for each ten million people that don't care, you've made one admin cry. :) pgp0.pgp Description: PGP signature
Re: is iptables enough?
There are a couple of reasons why I use -j DROP instead of -J REJECT. Firstly, sending responses to packets your dropping can be bad, given a relatively small upstream link. In theory, one could DoS you sufficiently with an upstream equal or slightly better than yours. That is not to say that the would-be attacker couldn't just find a network that could surpass your downstream as well, just pointing out this drawback of -j REJECT. Secondly, while DROP'ing the packet doesn't make you invisible, it does have some degree of value when deterring people. If an attacker gets no response from machine 1, but a tcp reject from matchine 2, I'm willing to bet they'd persue machine 2 first. Let's face it, if they want to find out if you're there or running something on a port, they probably can with a bit more effort anyway, but it might just make them pass you by for an easier target. In general, I don't use -REJECT unless I'm worried about being polite. And in most circumstances, politeness isn't my goal ;) Josh --- Vineet Kumar <[EMAIL PROTECTED]> wrote: > * Adrian 'Dagurashibanipal' von Bidder > <[EMAIL PROTECTED]> [20030320 06:39 PST]: > > Set it up to block everything and then selectively > open ports until > > everything works as desired. Depending on the > applications it may be a > > good idea to REJECT auth (identd) packets instead > of dropping them - > > some applications have long timeouts. > > IMO, it's a good idea to REJECT instead of DROPping > most packets. If > you think DROPping makes you invisible, you're > deluding yourself. I > generally end my INPUT chain with > > -p tcp -j REJECT --reject-with tcp-reset > -p udp -j REJECT --reject-with icmp-port-unreachable > -j REJECT --reject-with icmp-proto-unreachable > > Of course, different setups have different needs, > but I think this is > pretty good for most home configurations > > good times, > Vineet > -- > http://www.doorstop.net/ > -- > http://www.digitalconsumer.org/ > > ATTACHMENT part 2 application/pgp-signature name=signature.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Fwd: Re: is iptables enough?
I will like to add, as a paranoid person that I am, that I wouldn't just only relay with a router. I will setup the router to be my first line of defense, as well to do some NAT or masqarading, and then after the router setup iptables as my second line of defense. But the first posting was seeking simple solutions for a simple issue; therefore, iptables in my opinion will do well. Nevertheless, do not relay only in iptables and seek for other options that you could add to protect even more those servers. Have a nice day, Didier. "Nothing would please me more than being able to hire ten programmers and deluge the hoby market with good software"...Bill Gates 1976...We're still waiting From: Ian Garrison <[EMAIL PROTECTED]> To: Keegan Quinn <[EMAIL PROTECTED]> CC: debian-security@lists.debian.org Subject: Re: is iptables enough? Date: Thu, 20 Mar 2003 15:25:01 -0500 (EST) Definately true, and worth mentioning. There is also the point that several of the punier devices that one might thrust into the horde of angry packets might have crummy stacks or be vulnerable to the silliest of things (especially in the case of consumer grade equipment). If the hardware is already there (cpe with filtering capabilities, routers, etc) then I'd advise people to consider the pro's of security vs cons of managing it. Deciding between a spof (router/cpe and likely a couple ethernet cables) and a firewall that is more disrespectful to unwanted packets is a tough call for me in the workplace. If the router/cpe can take a beating then I might live with it and sleep a little better at night -- though such decisions take testing and careful consideration. I'm too paranoid to say on this list before the masses that "iptables is enough" in the workplace. For others it may be enough, and that is fine. There is a bigger picture to be seen for those who care, and my apologies if my response is steering this discussion further off topic than the original poster was seeking. I don't intend to suggest that iptables is inferiour, or that if you use iptables as your only means of filtering you suck. I'll make an effort to be more on-topic in the future. A few things touched a nerve and I probably should have just clammed up and rolled with them. Something being "good enough" just grabbed me and squeezed in the wrong places. :) -ian On Thu, 20 Mar 2003, Keegan Quinn wrote: > On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: > >Imo iptables is a reasonably good stateful firewall and is fine in most > > cases. However, a very wise person once said that the ideal setup is to > > layer more than one implementation of packet filter and firewall between > > the wild and a host/network you wish to protect. Ideally implementations > > on diverse platforms. > > Just remember, that when you do this, you are introducing an additional point > of failure for each device in the chain. Some people like to keep these at a > minimum, especially in the 'revenue-generating' environments you describe. > > - Keegan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Re: is iptables enough?
* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: > Set it up to block everything and then selectively open ports until > everything works as desired. Depending on the applications it may be a > good idea to REJECT auth (identd) packets instead of dropping them - > some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ signature.asc Description: Digital signature
Re: is iptables enough?
Definately true, and worth mentioning. There is also the point that several of the punier devices that one might thrust into the horde of angry packets might have crummy stacks or be vulnerable to the silliest of things (especially in the case of consumer grade equipment). If the hardware is already there (cpe with filtering capabilities, routers, etc) then I'd advise people to consider the pro's of security vs cons of managing it. Deciding between a spof (router/cpe and likely a couple ethernet cables) and a firewall that is more disrespectful to unwanted packets is a tough call for me in the workplace. If the router/cpe can take a beating then I might live with it and sleep a little better at night -- though such decisions take testing and careful consideration. I'm too paranoid to say on this list before the masses that "iptables is enough" in the workplace. For others it may be enough, and that is fine. There is a bigger picture to be seen for those who care, and my apologies if my response is steering this discussion further off topic than the original poster was seeking. I don't intend to suggest that iptables is inferiour, or that if you use iptables as your only means of filtering you suck. I'll make an effort to be more on-topic in the future. A few things touched a nerve and I probably should have just clammed up and rolled with them. Something being "good enough" just grabbed me and squeezed in the wrong places. :) -ian On Thu, 20 Mar 2003, Keegan Quinn wrote: > On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: > >Imo iptables is a reasonably good stateful firewall and is fine in most > > cases. However, a very wise person once said that the ideal setup is to > > layer more than one implementation of packet filter and firewall between > > the wild and a host/network you wish to protect. Ideally implementations > > on diverse platforms. > > Just remember, that when you do this, you are introducing an additional point > of failure for each device in the chain. Some people like to keep these at a > minimum, especially in the 'revenue-generating' environments you describe. > > - Keegan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
Fwd: Re: is iptables enough?
I will like to add, as a paranoid person that I am, that I wouldn't just only relay with a router. I will setup the router to be my first line of defense, as well to do some NAT or masqarading, and then after the router setup iptables as my second line of defense. But the first posting was seeking simple solutions for a simple issue; therefore, iptables in my opinion will do well. Nevertheless, do not relay only in iptables and seek for other options that you could add to protect even more those servers. Have a nice day, Didier. "Nothing would please me more than being able to hire ten programmers and deluge the hoby market with good software"...Bill Gates 1976...We're still waiting From: Ian Garrison <[EMAIL PROTECTED]> To: Keegan Quinn <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] Subject: Re: is iptables enough? Date: Thu, 20 Mar 2003 15:25:01 -0500 (EST) Definately true, and worth mentioning. There is also the point that several of the punier devices that one might thrust into the horde of angry packets might have crummy stacks or be vulnerable to the silliest of things (especially in the case of consumer grade equipment). If the hardware is already there (cpe with filtering capabilities, routers, etc) then I'd advise people to consider the pro's of security vs cons of managing it. Deciding between a spof (router/cpe and likely a couple ethernet cables) and a firewall that is more disrespectful to unwanted packets is a tough call for me in the workplace. If the router/cpe can take a beating then I might live with it and sleep a little better at night -- though such decisions take testing and careful consideration. I'm too paranoid to say on this list before the masses that "iptables is enough" in the workplace. For others it may be enough, and that is fine. There is a bigger picture to be seen for those who care, and my apologies if my response is steering this discussion further off topic than the original poster was seeking. I don't intend to suggest that iptables is inferiour, or that if you use iptables as your only means of filtering you suck. I'll make an effort to be more on-topic in the future. A few things touched a nerve and I probably should have just clammed up and rolled with them. Something being "good enough" just grabbed me and squeezed in the wrong places. :) -ian On Thu, 20 Mar 2003, Keegan Quinn wrote: > On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: > >Imo iptables is a reasonably good stateful firewall and is fine in most > > cases. However, a very wise person once said that the ideal setup is to > > layer more than one implementation of packet filter and firewall between > > the wild and a host/network you wish to protect. Ideally implementations > > on diverse platforms. > > Just remember, that when you do this, you are introducing an additional point > of failure for each device in the chain. Some people like to keep these at a > minimum, especially in the 'revenue-generating' environments you describe. > > - Keegan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]: > Set it up to block everything and then selectively open ports until > everything works as desired. Depending on the applications it may be a > good idea to REJECT auth (identd) packets instead of dropping them - > some applications have long timeouts. IMO, it's a good idea to REJECT instead of DROPping most packets. If you think DROPping makes you invisible, you're deluding yourself. I generally end my INPUT chain with -p tcp -j REJECT --reject-with tcp-reset -p udp -j REJECT --reject-with icmp-port-unreachable -j REJECT --reject-with icmp-proto-unreachable Of course, different setups have different needs, but I think this is pretty good for most home configurations good times, Vineet -- http://www.doorstop.net/ -- http://www.digitalconsumer.org/ signature.asc Description: Digital signature
Re: is iptables enough?
Definately true, and worth mentioning. There is also the point that several of the punier devices that one might thrust into the horde of angry packets might have crummy stacks or be vulnerable to the silliest of things (especially in the case of consumer grade equipment). If the hardware is already there (cpe with filtering capabilities, routers, etc) then I'd advise people to consider the pro's of security vs cons of managing it. Deciding between a spof (router/cpe and likely a couple ethernet cables) and a firewall that is more disrespectful to unwanted packets is a tough call for me in the workplace. If the router/cpe can take a beating then I might live with it and sleep a little better at night -- though such decisions take testing and careful consideration. I'm too paranoid to say on this list before the masses that "iptables is enough" in the workplace. For others it may be enough, and that is fine. There is a bigger picture to be seen for those who care, and my apologies if my response is steering this discussion further off topic than the original poster was seeking. I don't intend to suggest that iptables is inferiour, or that if you use iptables as your only means of filtering you suck. I'll make an effort to be more on-topic in the future. A few things touched a nerve and I probably should have just clammed up and rolled with them. Something being "good enough" just grabbed me and squeezed in the wrong places. :) -ian On Thu, 20 Mar 2003, Keegan Quinn wrote: > On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: > >Imo iptables is a reasonably good stateful firewall and is fine in most > > cases. However, a very wise person once said that the ideal setup is to > > layer more than one implementation of packet filter and firewall between > > the wild and a host/network you wish to protect. Ideally implementations > > on diverse platforms. > > Just remember, that when you do this, you are introducing an additional point > of failure for each device in the chain. Some people like to keep these at a > minimum, especially in the 'revenue-generating' environments you describe. > > - Keegan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in most > cases. However, a very wise person once said that the ideal setup is to > layer more than one implementation of packet filter and firewall between > the wild and a host/network you wish to protect. Ideally implementations > on diverse platforms. Just remember, that when you do this, you are introducing an additional point of failure for each device in the chain. Some people like to keep these at a minimum, especially in the 'revenue-generating' environments you describe. - Keegan
Re: is iptables enough?
On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in most > cases. However, a very wise person once said that the ideal setup is to > layer more than one implementation of packet filter and firewall between > the wild and a host/network you wish to protect. Ideally implementations > on diverse platforms. Just remember, that when you do this, you are introducing an additional point of failure for each device in the chain. Some people like to keep these at a minimum, especially in the 'revenue-generating' environments you describe. - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote: > What I find astonishing: Let's say you are running a webserver, maybe > mailserver and a DNS on a server. What rules do you want to apply to > the packets etc.? I guess plain iptables should be enough for single PC or SOHO network - you can do pretty much everything. What I have not investigated is reporting - as iptables has no builtin (canonical) fancy reporting software, you'd rely on add-on software, and I don't know what's available there. To the original poster: Do it all with iptables. Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. Server hardware: a 486/25 with 36M RAM should be able to bear the load you're describing (it did for me, for several years, and still does for the people now living there, including also routing and squid proxy for the 3 computers behind it. The only thing is that you'd want to avoid compiling kernels on that machine :-) To make your life as care-free as possible: install woody, not testing - you don't really need the latest software, do you - and subscribe to the security announcement list. Think about partitioning your server - log files at least, and perhaps mail spool, too, should go into a partition of their own, and use some softwrae to monitor disk useage (there's software for this, but there's also the method of just calling 'df' from a cron script). Use logcheck or some similar software - once you've tuned it to your needs, you'll have almost no mail during regular operation. pflogsumm or similar could be interesting if you want an overview of what your mailserver is doing, it'll not react fast enough if your server is ever abused, though. For the website, running webalize or somesuch is interesting, I have made the experience (with church authorities, as it happens) that the not so tech-savvy are mightily impressed if you can show them that 4 or 5 actual people really look at the web page. cheers -- vbi -- The prablem with Manoca is thot it's difficult ta tell the difference between o cauple af the letters. -- Jacob W. Haller on alt.religion.kibology signature.asc Description: This is a digitally signed message part
Re: is iptables enough?
> "Jones" == Jones <[EMAIL PROTECTED]> writes: Jones> I am planning to replace a (dead) Windows 2000 computer Jones> that was used as a web server and email server with a Jones> Debian Linux solution. This machine is connected to the Jones> net via DSL and would run apache and exim/qpopper and sshd. Jones> Everything else would be turned off. It is a small church Jones> and their current site is not very busy, but she says they Jones> do get a lot of email. Jones> Am I right in assuming that iptabes is enough as a firewall Jones> solution and that I would not need to buy any additional Jones> software. That is what I understand from my past Jones> experience with Debian/iptables as a server and from the Jones> files at debian.org security howto at Jones> (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) You could use UML (user-mode-linux.sf.net) to split up the systems (apache in 1, email in another) as an additional layer of protection. .deb's are available although you probably won't to grab unstable's versions to be reasonably up to date. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]
Re: Re: is iptables enough?
On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote: > How is that, since IDE and SCSI-Disks are having > the same mechanics? For one, the old IDE's tended to be more cheaply made. He is right in that: for customer machines in that era I always insisted on SCSI hard drives for speed and reliability. There does not seem to be a whole lot of difference anymore. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: Re: is iptables enough?
* Quoting I.R. van Dongen ([EMAIL PROTECTED]): > > On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote: > > > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > > > This should be more than enough. I have been running a mailserver on a > > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > > > mail --- never had a problem. > > > > Hah! Is nothing! I run a cablemodem firewall, multiple > > VPN's, DNS, with snort, tiger, and other tools on a > > 486 with 16MB of RAM! > I hope that machine has scsi disks like my > gateway (120MB & 1GB) since with that low on ram > your machine is always swapping. That's usually > no problem, but IDE disks tend to wear out fast > when used 24/7. With more RAM (32-40M) your How is that, since IDE and SCSI-Disks are having the same mechanics? > disks will be more standby. More RAM is always good. - Rolf -- http://www.stop1984.com/
Re: is iptables enough?
On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote: > What I find astonishing: Let's say you are running a webserver, maybe > mailserver and a DNS on a server. What rules do you want to apply to > the packets etc.? I guess plain iptables should be enough for single PC or SOHO network - you can do pretty much everything. What I have not investigated is reporting - as iptables has no builtin (canonical) fancy reporting software, you'd rely on add-on software, and I don't know what's available there. To the original poster: Do it all with iptables. Set it up to block everything and then selectively open ports until everything works as desired. Depending on the applications it may be a good idea to REJECT auth (identd) packets instead of dropping them - some applications have long timeouts. Server hardware: a 486/25 with 36M RAM should be able to bear the load you're describing (it did for me, for several years, and still does for the people now living there, including also routing and squid proxy for the 3 computers behind it. The only thing is that you'd want to avoid compiling kernels on that machine :-) To make your life as care-free as possible: install woody, not testing - you don't really need the latest software, do you - and subscribe to the security announcement list. Think about partitioning your server - log files at least, and perhaps mail spool, too, should go into a partition of their own, and use some softwrae to monitor disk useage (there's software for this, but there's also the method of just calling 'df' from a cron script). Use logcheck or some similar software - once you've tuned it to your needs, you'll have almost no mail during regular operation. pflogsumm or similar could be interesting if you want an overview of what your mailserver is doing, it'll not react fast enough if your server is ever abused, though. For the website, running webalize or somesuch is interesting, I have made the experience (with church authorities, as it happens) that the not so tech-savvy are mightily impressed if you can show them that 4 or 5 actual people really look at the web page. cheers -- vbi -- The prablem with Manoca is thot it's difficult ta tell the difference between o cauple af the letters. -- Jacob W. Haller on alt.religion.kibology signature.asc Description: This is a digitally signed message part
Re: is iptables enough?
> "Jones" == Jones <[EMAIL PROTECTED]> writes: Jones> I am planning to replace a (dead) Windows 2000 computer Jones> that was used as a web server and email server with a Jones> Debian Linux solution. This machine is connected to the Jones> net via DSL and would run apache and exim/qpopper and sshd. Jones> Everything else would be turned off. It is a small church Jones> and their current site is not very busy, but she says they Jones> do get a lot of email. Jones> Am I right in assuming that iptabes is enough as a firewall Jones> solution and that I would not need to buy any additional Jones> software. That is what I understand from my past Jones> experience with Debian/iptables as a server and from the Jones> files at debian.org security howto at Jones> (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) You could use UML (user-mode-linux.sf.net) to split up the systems (apache in 1, email in another) as an additional layer of protection. .deb's are available although you probably won't to grab unstable's versions to be reasonably up to date. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: is iptables enough?
On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote: > How is that, since IDE and SCSI-Disks are having > the same mechanics? For one, the old IDE's tended to be more cheaply made. He is right in that: for customer machines in that era I always insisted on SCSI hard drives for speed and reliability. There does not seem to be a whole lot of difference anymore. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: is iptables enough?
On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote: > I hope that machine has scsi disks like my gateway (120MB & 1GB) since with > that low on ram your machine is always swapping. That's usually no problem, > but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) > your disks will be more standby. Unfortuneately no. It's what I call a "bin diver special", a junk machine an office was going to throw away. 400MB IDE of the old sort. If snort is report building, you hear a lot of disk activity; through most of the day you only hear a click every couple seconds or so. It doesn't swap while passing ip traffic. Might do so if I really try to max the bandwidth, but I've not noticed it. Hey, I got 3 of them for free, had to do something with them. I already had a doorstop. :-) -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: Re: is iptables enough?
* Quoting I.R. van Dongen ([EMAIL PROTECTED]): > > On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote: > > > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > > > This should be more than enough. I have been running a mailserver on a > > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > > > mail --- never had a problem. > > > > Hah! Is nothing! I run a cablemodem firewall, multiple > > VPN's, DNS, with snort, tiger, and other tools on a > > 486 with 16MB of RAM! > I hope that machine has scsi disks like my > gateway (120MB & 1GB) since with that low on ram > your machine is always swapping. That's usually > no problem, but IDE disks tend to wear out fast > when used 24/7. With more RAM (32-40M) your How is that, since IDE and SCSI-Disks are having the same mechanics? > disks will be more standby. More RAM is always good. - Rolf -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: is iptables enough?
On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote: > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > > This should be more than enough. I have been running a mailserver on a > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > > mail --- never had a problem. > > Hah! Is nothing! I run a cablemodem firewall, multiple > VPN's, DNS, with snort, tiger, and other tools on a > 486 with 16MB of RAM! I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low on ram your machine is always swapping. That's usually no problem, but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) your disks will be more standby. Gr, Ivo van Dongen
Re: Re: is iptables enough?
On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote: > I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low > on ram your machine is always swapping. That's usually no problem, but IDE disks > tend to wear out fast when used 24/7. With more RAM (32-40M) your disks will be more > standby. Unfortuneately no. It's what I call a "bin diver special", a junk machine an office was going to throw away. 400MB IDE of the old sort. If snort is report building, you hear a lot of disk activity; through most of the day you only hear a click every couple seconds or so. It doesn't swap while passing ip traffic. Might do so if I really try to max the bandwidth, but I've not noticed it. Hey, I got 3 of them for free, had to do something with them. I already had a doorstop. :-) -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: is iptables enough?
On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote: > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > > This should be more than enough. I have been running a mailserver on a > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > > mail --- never had a problem. > > Hah! Is nothing! I run a cablemodem firewall, multiple > VPN's, DNS, with snort, tiger, and other tools on a > 486 with 16MB of RAM! I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low on ram your machine is always swapping. That's usually no problem, but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) your disks will be more standby. Gr, Ivo van Dongen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
fw distros - Re: is iptables enough? (fwd)
rest of the "secure distro" or floppy-based distro for firewall grade OS -- or a hardened debian box.. http://www.Linux-Sec.net/Distro/ - but fromt he loosk of security advisories from some distro, its just like any other linux distro .. with more or less tweeking to be better than the average distro general firewall stuff ( config tools, fw testing, logging, and pre-config'd firewalls, http://www.Linux-Sec.net/FW/ c ya alvin > > Using a CDR gives you a lot more space. > Bah, bloatware! ;-) > I'm using Coyote Linux[1] the only place I currently require a router, > works great. Indeed based on LRP. .. > I looked at PicoBSD [2] too, just to insert some non-uniformity in the > network, but couldn't make too much sense of it... > [1] http://www.coyotelinux.com/ > [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: is iptables enough?
I run 2 cronjobs to apt update each machine every night and email me the updates, if I'm happy I login and do the upgrade. For protecting a single machine I have difficulty justifying a seperate firewall machine, I cannot see it achieving much unless the port forwarded ports are proxied, ie no direct connection from outside to the server is allowed. If its protecting multiple machines in a DMZ then yes it has value, however I run iptables on each machine in the DMZ as well such that another machine in the DMZ cannot get to another. I agree with the idea of having more than 1 firewall, using a different firewall system giving defence in depth. Even an ACL on a CISCO router before the firewall is a start. There have been cases of firewall 1 having security holes and being directly connected to the net, yet convincing others to allow me to put a linux box running simple iptables in front has fallen on deaf ears. I suppose it depends on how paranoid you wish to be, or if you prefer "once stung twice shy". If you have not been stung then there are other distractions taking your attention. regards Steven -Original Message- From: Stefan Neufeind [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2003 10:22 To: Ian Garrison Cc: debian-security@lists.debian.org Subject: Re: is iptables enough? What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: > You could do that with Linux Router Project floppy images -- but > booting from floppy is really cramped. Through some miracle of > economising on space, they finally migrated to libc6 and kernel > 2.2.x, but God only knows how. Hehe... > Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :)
Re: is iptables enough?
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]): > Well, I'm primarily responding to your second question, but the way I > would do it, if I had the resources, would be to get a small Pentium > 133 MHz box, booting from a floppy and use it as a router and firewall. > No harddrive, a complete wasteland. You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Using a CDR gives you a lot more space. -- Cheers, "Java is COBOL 2.0." Rick Moen -- Deirdre Saoirse Moen [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > This should be more than enough. I have been running a mailserver on a > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > mail --- never had a problem. Hah! Is nothing! I run a cablemodem firewall, multiple VPN's, DNS, with snort, tiger, and other tools on a 486 with 16MB of RAM! *amon wonders how many know the MP old men from Northumberland skit... -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
fw distros - Re: is iptables enough? (fwd)
rest of the "secure distro" or floppy-based distro for firewall grade OS -- or a hardened debian box.. http://www.Linux-Sec.net/Distro/ - but fromt he loosk of security advisories from some distro, its just like any other linux distro .. with more or less tweeking to be better than the average distro general firewall stuff ( config tools, fw testing, logging, and pre-config'd firewalls, http://www.Linux-Sec.net/FW/ c ya alvin > > Using a CDR gives you a lot more space. > Bah, bloatware! ;-) > I'm using Coyote Linux[1] the only place I currently require a router, > works great. Indeed based on LRP. .. > I looked at PicoBSD [2] too, just to insert some non-uniformity in the > network, but couldn't make too much sense of it... > [1] http://www.coyotelinux.com/ > [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Imo iptables is a reasonably good stateful firewall and is fine in most cases. However, a very wise person once said that the ideal setup is to layer more than one implementation of packet filter and firewall between the wild and a host/network you wish to protect. Ideally implementations on diverse platforms. One example for consideration is a cisco packet filter (acls) that may allowed fragmented packets to traverse its filters, but once passed on to an iptables ruleset might get discarded because iptables was written seperately from cisco's implementation and happens to catch this case and a few other cases that were missed. Make your network an onion if you can engineer a method to easily manage your rules. That said, I use only iptables to filter my home network and either it is doing a great job or nobody is interested in attacking my host (likely both). For me, it does the job as nothing is revenue generating for myself or others -- its important, but not critical. If I had a client that wanted to sell stuff on the web and handling ccard ordering of a product, as well as all their corporate email, then I would be more thoughtful of additional measures to protect the network. In my work environment every so often developers or others turn off our iptables rulesets without telling us, as it is easy (one little command). In such cases the cisco packet filter will offer some protection and disabling such filters is more work than our developers care to struggle against. Iptables/ipf and any other stateful firewall that attempts to be a modern contender in the firewalling ring is likely 'good enough'. My point is that while I like iptables, it and every other filter out there will fall subject to some method of circumvention/exploitation at some point, and that how much effort you put into hardening your network is up to you. Your question almost seems to be "is iptables developed enough to compete with commercial solutions", to which I would say "yes, if the person deploying the rules is experienced enough to write a solid set of rules". If I was you, I would be satisfied with iptables and the hardware you have selected -- but I am not you, and this decision is not mine to make. No matter where you set the bar there will still be more secure solutions. "secure enough" is all a state of paranoia and budget. :) -ian On Wed, 19 Mar 2003, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. > > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) > > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. > > thanks > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
RE: is iptables enough?
I run 2 cronjobs to apt update each machine every night and email me the updates, if I'm happy I login and do the upgrade. For protecting a single machine I have difficulty justifying a seperate firewall machine, I cannot see it achieving much unless the port forwarded ports are proxied, ie no direct connection from outside to the server is allowed. If its protecting multiple machines in a DMZ then yes it has value, however I run iptables on each machine in the DMZ as well such that another machine in the DMZ cannot get to another. I agree with the idea of having more than 1 firewall, using a different firewall system giving defence in depth. Even an ACL on a CISCO router before the firewall is a start. There have been cases of firewall 1 having security holes and being directly connected to the net, yet convincing others to allow me to put a linux box running simple iptables in front has fallen on deaf ears. I suppose it depends on how paranoid you wish to be, or if you prefer "once stung twice shy". If you have not been stung then there are other distractions taking your attention. regards Steven -Original Message- From: Stefan Neufeind [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2003 10:22 To: Ian Garrison Cc: [EMAIL PROTECTED] Subject: Re: is iptables enough? What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hello, On Wednesday 19 March 2003 11:44 am, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. I would imagine that their 'lot of email' will be quite negligible to whatever server you can come up with. > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) Absolutely. Dedicated firewall hardware in such a small installation would seem ridiculously paranoid, to me. I'm not even sure what "additional software" you could consider. > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. I'd say even without any additional RAM, you will be home free. Doubling it will make it fly, but I strongly doubt you will see any noticeable swapping at 256. The actual requirements of the installation you're describing are ridiculously small. Good luck, and happy Debian-ing! - Keegan
Re: is iptables enough?
On Wed, 2003-03-19 at 20:44, Jones wrote: > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. This should be more than enough. I have been running a mailserver on a Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot mail --- never had a problem. Janus -- Janus N. Tøndering <[EMAIL PROTECTED]>
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: > You could do that with Linux Router Project floppy images -- but > booting from floppy is really cramped. Through some miracle of > economising on space, they finally migrated to libc6 and kernel > 2.2.x, but God only knows how. Hehe... > Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi! On Wednesday 19 March 2003 20:44, Jones wrote: > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. Well, I'm primarily responding to your second question, but the way I would do it, if I had the resources, would be to get a small Pentium 133 MHz box, booting from a floppy and use it as a router and firewall. No harddrive, a complete wasteland. But then, I'm really a newbie in all this, so you might want to listen to the pros... :-) > Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. My main server is a Pentium PRO 180 MHz with 96 MB RAM. It gets a lot of e-mail, and has a whole bunch of mailinglists distributing many hundred messages a day. It had some problems when it was overwhelmed by a old Mailman bug that resulted in it receiving a few ~200 KB messages a second, and tried to scan all those with SpamAssassin (it took me half an hour to type "reboot" :-) ), but other than that, the CPU is mostly idle. Also, I tried to run Apache Cocoon on it, it worked, but it clearly had too little RAM for that. If you plan to run Cocoon, then 512 MB would be nice, but similar solutions, like AxKit, demands much less. So, I think you would be fine with a much smaller box than that, but a 1 GHz with 256 MB is cool, if that is what you've got. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked: > I am planning to replace a (dead) Windows 2000 computer that > was used as a web server and email server with a Debian Linux > solution. This machine is connected to the net via DSL and > would run apache and exim/qpopper and sshd. Everything else > would be turned off. It is a small church and their current > site is not very busy, but she says they do get a lot of > email. > > Am I right in assuming that iptabes is enough as a firewall > solution and that I would not need to buy any additional > software. Yes the iptables tool is sufficient to construct a reliable firewall. Network topology is another issue, and one people enjoy debating ;) > That is what I understand from my past experience > with Debian/iptables as a server and from the files at > debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) I would recommend you take a look at the 'Shoreline Firewall', more commonly known as 'Shorewall'. It's a good firewall solution and DEBs are available. Takes a while to get used to (i.e. figure out how it works) but it is reasonably well documented, and most importantly, well done. > On a less related note, what hardware config would you > recommend for such a system? She has a number of machines > that I could choose from. Most of them are 1.x Ghz Pentium > systems with 256MB RAM and 10 GB IDE hard drives. After > increasing the RAM to 512MB, I think this should more than > adequate for a system doing nothing but HTTP and SMTP/POP > requests. More than enough, yes. > thanks > jmb My $0.02, Raymond pgpp2o47gZn74.pgp Description: PGP signature
Re: is iptables enough?
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]): > Well, I'm primarily responding to your second question, but the way I > would do it, if I had the resources, would be to get a small Pentium > 133 MHz box, booting from a floppy and use it as a router and firewall. > No harddrive, a complete wasteland. You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Using a CDR gives you a lot more space. -- Cheers, "Java is COBOL 2.0." Rick Moen -- Deirdre Saoirse Moen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
is iptables enough?
I am planning to replace a (dead) Windows 2000 computer that was used as a web server and email server with a Debian Linux solution. This machine is connected to the net via DSL and would run apache and exim/qpopper and sshd. Everything else would be turned off. It is a small church and their current site is not very busy, but she says they do get a lot of email. Am I right in assuming that iptabes is enough as a firewall solution and that I would not need to buy any additional software. That is what I understand from my past experience with Debian/iptables as a server and from the files at debian.org security howto at (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) On a less related note, what hardware config would you recommend for such a system? She has a number of machines that I could choose from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 GB IDE hard drives. After increasing the RAM to 512MB, I think this should more than adequate for a system doing nothing but HTTP and SMTP/POP requests. thanks jmb
Re: is iptables enough?
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > This should be more than enough. I have been running a mailserver on a > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > mail --- never had a problem. Hah! Is nothing! I run a cablemodem firewall, multiple VPN's, DNS, with snort, tiger, and other tools on a 486 with 16MB of RAM! *amon wonders how many know the MP old men from Northumberland skit... -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Imo iptables is a reasonably good stateful firewall and is fine in most cases. However, a very wise person once said that the ideal setup is to layer more than one implementation of packet filter and firewall between the wild and a host/network you wish to protect. Ideally implementations on diverse platforms. One example for consideration is a cisco packet filter (acls) that may allowed fragmented packets to traverse its filters, but once passed on to an iptables ruleset might get discarded because iptables was written seperately from cisco's implementation and happens to catch this case and a few other cases that were missed. Make your network an onion if you can engineer a method to easily manage your rules. That said, I use only iptables to filter my home network and either it is doing a great job or nobody is interested in attacking my host (likely both). For me, it does the job as nothing is revenue generating for myself or others -- its important, but not critical. If I had a client that wanted to sell stuff on the web and handling ccard ordering of a product, as well as all their corporate email, then I would be more thoughtful of additional measures to protect the network. In my work environment every so often developers or others turn off our iptables rulesets without telling us, as it is easy (one little command). In such cases the cisco packet filter will offer some protection and disabling such filters is more work than our developers care to struggle against. Iptables/ipf and any other stateful firewall that attempts to be a modern contender in the firewalling ring is likely 'good enough'. My point is that while I like iptables, it and every other filter out there will fall subject to some method of circumvention/exploitation at some point, and that how much effort you put into hardening your network is up to you. Your question almost seems to be "is iptables developed enough to compete with commercial solutions", to which I would say "yes, if the person deploying the rules is experienced enough to write a solid set of rules". If I was you, I would be satisfied with iptables and the hardware you have selected -- but I am not you, and this decision is not mine to make. No matter where you set the bar there will still be more secure solutions. "secure enough" is all a state of paranoia and budget. :) -ian On Wed, 19 Mar 2003, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. > > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) > > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. > > thanks > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hello, On Wednesday 19 March 2003 11:44 am, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. I would imagine that their 'lot of email' will be quite negligible to whatever server you can come up with. > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) Absolutely. Dedicated firewall hardware in such a small installation would seem ridiculously paranoid, to me. I'm not even sure what "additional software" you could consider. > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. I'd say even without any additional RAM, you will be home free. Doubling it will make it fly, but I strongly doubt you will see any noticeable swapping at 256. The actual requirements of the installation you're describing are ridiculously small. Good luck, and happy Debian-ing! - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, 2003-03-19 at 20:44, Jones wrote: > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. This should be more than enough. I have been running a mailserver on a Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot mail --- never had a problem. Janus -- Janus N. Tøndering <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi! On Wednesday 19 March 2003 20:44, Jones wrote: > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. Well, I'm primarily responding to your second question, but the way I would do it, if I had the resources, would be to get a small Pentium 133 MHz box, booting from a floppy and use it as a router and firewall. No harddrive, a complete wasteland. But then, I'm really a newbie in all this, so you might want to listen to the pros... :-) > Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. My main server is a Pentium PRO 180 MHz with 96 MB RAM. It gets a lot of e-mail, and has a whole bunch of mailinglists distributing many hundred messages a day. It had some problems when it was overwhelmed by a old Mailman bug that resulted in it receiving a few ~200 KB messages a second, and tried to scan all those with SpamAssassin (it took me half an hour to type "reboot" :-) ), but other than that, the CPU is mostly idle. Also, I tried to run Apache Cocoon on it, it worked, but it clearly had too little RAM for that. If you plan to run Cocoon, then 512 MB would be nice, but similar solutions, like AxKit, demands much less. So, I think you would be fine with a much smaller box than that, but a 1 GHz with 256 MB is cool, if that is what you've got. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked: > I am planning to replace a (dead) Windows 2000 computer that > was used as a web server and email server with a Debian Linux > solution. This machine is connected to the net via DSL and > would run apache and exim/qpopper and sshd. Everything else > would be turned off. It is a small church and their current > site is not very busy, but she says they do get a lot of > email. > > Am I right in assuming that iptabes is enough as a firewall > solution and that I would not need to buy any additional > software. Yes the iptables tool is sufficient to construct a reliable firewall. Network topology is another issue, and one people enjoy debating ;) > That is what I understand from my past experience > with Debian/iptables as a server and from the files at > debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) I would recommend you take a look at the 'Shoreline Firewall', more commonly known as 'Shorewall'. It's a good firewall solution and DEBs are available. Takes a while to get used to (i.e. figure out how it works) but it is reasonably well documented, and most importantly, well done. > On a less related note, what hardware config would you > recommend for such a system? She has a number of machines > that I could choose from. Most of them are 1.x Ghz Pentium > systems with 256MB RAM and 10 GB IDE hard drives. After > increasing the RAM to 512MB, I think this should more than > adequate for a system doing nothing but HTTP and SMTP/POP > requests. More than enough, yes. > thanks > jmb My $0.02, Raymond pgp0.pgp Description: PGP signature
is iptables enough?
I am planning to replace a (dead) Windows 2000 computer that was used as a web server and email server with a Debian Linux solution. This machine is connected to the net via DSL and would run apache and exim/qpopper and sshd. Everything else would be turned off. It is a small church and their current site is not very busy, but she says they do get a lot of email. Am I right in assuming that iptabes is enough as a firewall solution and that I would not need to buy any additional software. That is what I understand from my past experience with Debian/iptables as a server and from the files at debian.org security howto at (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) On a less related note, what hardware config would you recommend for such a system? She has a number of machines that I could choose from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 GB IDE hard drives. After increasing the RAM to 512MB, I think this should more than adequate for a system doing nothing but HTTP and SMTP/POP requests. thanks jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
