[ale] stateful firewall?

Mark Hurley debian4tux at telocity.com
Wed Oct 17 21:52:42 EDT 2001


On Wed, Oct 17, 2001 at 11:15:38AM -0700, Bao C. Ha wrote:
> 
> > 
> > 
> > I've been working for the past day or so on setting up
> > ipchains to use as my company's firewall.  Then the
> > one of our senior IT guys came by and said "Linux
> > boxes don't make firewalls.  They make good proxies,
> > but not firewalls.  Linux has no stateful firewalls".
> 
> Wow!  So tell me what do you need to do from a stateful
> firewall that Ipchains cannot provide.  A lot of time,
> stateful firewall is just a buzz/FUD marketing word.
> I would ask for clarification on the requirements that
> does utilize a stateful firewall.

Agree, if your senior IT guy would like to talk about the firewall, I
would be more than happy to eat a free lunch.

> > I know in Bob Toxen's book it's mentioned that the 2.4
> > kernel provides a stateful firewall capability called
> > NETFILTER.  Has anyone had any experience with this? 
> > Good/bad?  Is it stable enough to use in a production
> > environment?
> 
> Yes! Iptables/netfilter can do banging job as a stateful
> firewall.  It works great.  Just make sure that you use
> the most recent one.  There is a security hole in the
> ip_conntrack_ftp in April, I think.

If you would like to read more on that security flaw check out one of
the links.  In short, it affected kernels 2.4.3 and below.  A patch is
posted, but I would opt for one of the more recent kernels.

Ohh links...

http://netfilter.samba.org/security-fix/index.html
 -- or --
http://www.tempest.com.br/advisories/01-2001.html

> > If it is stable enough, we have installed RH 7.1,
> > which uses the 2.4, so we're good to go.  However, the
> > IT guy also seems to think that all linux
> > distributions have too many holes (with the exception
> > of the NSA's distribution, which he mentioned in
> > passing).  It was my impression that I could disable
> > pretty much every service on the box (with the
> > exception of those that *have* to be running to
> > function as a firewall) and we'd be pretty secure.  Is
> > this not the case?
> 
> I build firewalls from scratch.  Sometimes I use Slackware
> or Debian and strip it to the bare minimum.  
> 
> The answer to your question is YES, with reservations.
> That includes any Unices, Solaris/AIX/HPUX.

Agreed (ouch blanket statement?)  For clarification, I agree ANY OS
can be made more secure.  Goes along with the house/windows/door
thing, when you buy a house are you sure it is locked and all
windows are closed? As with any OS, comes responsibility.  Not at just
installing a quick fix to alleviate all your ailments, but in having a
mature Net Admin. who is willing to be anal. (can we say that on air?)

As many would point out some OS's are more secure by default than
others, including "web servers" (pun intended).

Mark Hurley

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list