I just wanted to thank everybody for their input. I've brought the
options mentioned to the PHBs.
-Cole
**
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of th
Oops, forgot part of my reply...
On Wed, 13 Dec 2000, Cole Tuininga wrote:
>> Checkpoint's Firewall-1 ...
>
> I couldn't find the link for the embedded box version - just the software
> version?
From their home page, click "Products", then "Security Appliances", to reach
this page:
On Wed, 13 Dec 2000, Todd Littlefield wrote:
> As an addition to the "New User Nights" perhaps there should be
> a "Hardening and Firewalling" night as well... Just an idea.
Hear, hear! And... maybe combine 'em with a "VPN solutions" night? Or,
perhaps, simply "Linux security?"
-Ken
On Wed, 13 Dec 2000, Cole Tuininga wrote:
>>
>> Install Linux on some PC hardware. ;-)
>
> We've actually taken this approach before. The thing that I like about
> doing a "hardware" solution is that the only moving part is a fan.
I can think of several answers to that concern off the top
This topic seems to come up quite a bit. I'm stretching my
memory here, but I don't think it was proposed as a meeting subject for
any of the LUGs. (Please correct me if I am wrong, I'd like to attend
the session).
Perhaps firewalls in general with followup meetings detailing
i
I hate the term "hardware firewall". All that means is a proprietary box
running proprietary code. But, if we must go in this direction, I'll
leave out my rant about using a Linux PC ;-)
If you're looking for stable, I would have to say that teh Cisco PIX is
a good bet. It's stable, and it does a
On Dec 13, Benjamin Scott claimed:
> Install Linux on some PC hardware. ;-)
We've actually taken this approach before. The thing that I like about
doing a "hardware" solution is that the only moving part is a fan. Hard
drives fail more frequently than fans and are a bigger pain to
replace.
I mention Linux several times in this reply, so I hereby declare it
"on-topic". ;-)
On Wed, 13 Dec 2000, Cole Tuininga wrote:
> At my job, we have need of a fairly decent (hardware based) firewall.
Install Linux on some PC hardware. ;-)
Seriously: The term "hardware based firewall" is
My apologies for being off topic, but I very much respect a lot of the
advice and experience I've seen on this list and was wondering if perhaps
I could get some suggestions.
At my job, we have need of a fairly decent (hardware based) firewall. Not
having experience with such beasts, I am turni
On Wed, 16 Aug 2000, Paul Lussier wrote:
> O'Reilly has an excellent book on the subject, Building Internet
> Firewalls, which describes all types of firewall configurations; using
> both commercial products, homegrown solutions, and a mix. (Unfortunately
> is a little dated, since it doesn't inc
In a message dated: Tue, 15 Aug 2000 18:32:35 EDT
"Dave Nichols" said:
>Folks,
>
>Just a question coming out of some work I'm doing today. I was always
>taught a double Firewall surrounded a TRUE DMZ (one in front, one in back).
>
>I see more and more people representing DMZ's coming off a SING
Yesterday, Dave Nichols gleaned this insight:
> Folks,
>
> Just a question coming out of some work I'm doing today. I was always
> taught a double Firewall surrounded a TRUE DMZ (one in front, one in back).
>
> I see more and more people representing DMZ's coming off a SINGLE firewall,
> the s
Dave,
It all depends on the needs of the customer, and how much they
want to spend. You can actually achieve the same effect with one
firewall as you get with two depending on how it is set up.
Kenny
Dave Nichols wrote:
>
> Folks,
>
> Just a question coming out of some work I'm doing today.
I believe there's a difference between what I call a "logical" firewall
and a "physical" one. The physical one being separate boxes with
separate segments coming out of them (segments == wires); usually just
routers. A logical one can have one (or more) segments with one or more
networks on each s
Folks,
Just a question coming out of some work I'm doing today. I was always
taught a double Firewall surrounded a TRUE DMZ (one in front, one in back).
I see more and more people representing DMZ's coming off a SINGLE firewall,
the same one which protects the corporate jewels... and implementi
Sorry, I thought that my feelings on Rob Zeiglers firewall tool
were quite well known on the list. But for the benefit of those
who are just joinig us, here is a brief synopsis:
1) The scripts are bloated with a lot of un-needed crap that can
lead to exploits
2) In his book, Rob admits "I don't
That's not a very helpful statement. Care to share with us *why* you wouldn't
trust the script, or should we just take your word for it?
-- Dave
On Tue, 15 Aug 2000 12:00:34 -0400, Kenneth E. Lussier said:
> Linux-firewall-tools.com is Rob Zeiglers website. I wouldn't
> trust my system to be
Linux-firewall-tools.com is Rob Zeiglers website. I wouldn't
trust my system to be protected by that script.
Kenny
Charles Farinella wrote:
>
> On Mon, 14 Aug 2000, cdowns wrote:
> >
> > what i dont understand is why you are listening on port 81 ->
> > $ext_address and masqing to and internal
On Mon, 14 Aug 2000, cdowns wrote:
>
> what i dont understand is why you are listening on port 81 ->
> $ext_address and masqing to and internal machine at port 80 ->
> $int_address ? are you running this for a special reason ?
This is a generic script I got off the linux-firewalls-tools.com site
On Mon, 14 Aug 2000, Kenneth E. Lussier wrote:
> I use variables in my firewall script. For my IP address, I use the
> variable "IPADDR", and I define it at the beginning on the script as :
> IPADDR="`ifconfig eth0 | grep inet| cut -d : -f 2 | cut -d \ -f
> 1`" . That way I don't have to go thr
In theory, I agree with Derek on this practice. However, there are two
reasons that I don't do this:
1) If DNS get's hosed you can't re-run the firewall script
2) $IPADDR is a LOT less typing ;-) (ok, so I'm lazy)
Kenny
On Mon, 14 Aug 2000, Derek Martin wrote:
> On Mon, 14 Aug 2000, Kenneth E.
On 14 Aug 2000, Dave Seidel wrote:
> I have the two lines that start with "/usr/sbin/ipmasqadm" commented out in my
> version of rc.firewall, because for some reason I don't have that command on my
> system. Instead, I have these three lines:
The IPMASQADM package is for port forwarding of traff
I use variables in my firewall script. For my IP address, I use the
variable "IPADDR", and I define it at the beginning on the script as :
IPADDR="`ifconfig eth0 | grep inet| cut -d : -f 2 | cut -d \ -f
1`" . That way I don't have to go through the entire script and change it
every time my IP ad
Cole Tuininga wrote:
> On Aug 13, Charles Farinella claimed:
>
> > I have the following line in my rc.firewall script:
> > ==/usr/sbin/ipmasqadm portfw -a -P tcp -L (external ipaddress) 81 -R
> > (internal ipaddress) 80==
>
> [snip]
>
> Out of curiosity, could you change the ip address to the hos
On Aug 13, Charles Farinella claimed:
> I have the following line in my rc.firewall script:
> ==/usr/sbin/ipmasqadm portfw -a -P tcp -L (external ipaddress) 81 -R
> (internal ipaddress) 80==
[snip]
Out of curiosity, could you change the ip address to the hostname that
mediaone has assigned to y
do you have ipmasqadm loaded ?
http://dsbelile.ne.mediaone.net/dsbelile/downloads/firewall_utils/ is the
directory on my server for the firewall utils you need.
take care,chris
Dave Seidel wrote:
> Hi Charlie,
>
> I have the two lines that start with "/usr/sbin/ipmasqadm" commented out in my
>
Hi Charlie,
I have the two lines that start with "/usr/sbin/ipmasqadm" commented out in my
version of rc.firewall, because for some reason I don't have that command on my
system. Instead, I have these three lines:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -P forward DENY
/sbin/ipch
I have the following line in my rc.firewall script:
==/usr/sbin/ipmasqadm portfw -a -P tcp -L (external ipaddress) 81 -R
(internal ipaddress) 80==
The external address connects to Mediaone, the internal address to a small
network.
What will happen when Mediaone changes my address, what will I h
Bruce Dawson wrote:
> Also, masquerading uses timeouts, so if you want to maintain a
> mostly-idle connection to an external address, masquerading probably won't be the
> best (although you could use ipmasqadm to "pierce" the firewall for that one
> connection). Although, most ISPs don't have thes
csmith wrote:
>
> If you wanted to fire wall a mixed OS environment with a Linux box of
> about 30 to 60 computers that had access to the outside world
> (internet) via a T1 line and router and switch, what would be your
> recommendation for a for the firewall program ( IPChains or somet
On Fri, 26 May 2000, Benjamin Scott wrote:
> Hmmm, I just checked www.ora.com, and "Building Internet Firewalls" is
> scheduled to have a second, updated edition released next month. That might
> be worth waiting for. It will certainly be a welcome title by me. The blurb
> claims it will now
On Fri, 26 May 2000, csmith wrote:
> If you wanted to fire wall a mixed OS environment with a Linux box of
> about 30 to 60 computers that had access to the outside world (internet)
> via a T1 line and router and switch, what would be your recommendation for
> a for the firewall program ( IPChains
Well, on the firewall, you will probably want 2 nics. One for
the internal network, one for the external network.
Otherwise, I'd use ipchains (and probably gfcc to admin it)
and masquerading. Masquerading has problems with certain protocols,
but there's ip_masq_* kernel modules to fix those probl
If you wanted to fire wall a mixed OS environment with a Linux box of
about 30 to 60 computers that had access to the outside world
(internet) via a T1 line and router and switch, what would be your
recommendation for a for the firewall program ( IPChains or something
else) and the hardw
34 matches
Mail list logo
