[ale] stateful firewall?

Transam transam at cavu.com
Sun Oct 21 02:31:28 EDT 2001


"Denny Chambers" <bugfixer at bellsouth.net> wrote:

> Here is an article by ZDNet titled "Netfilter and iptables: Stateful
> firewalling for Linux" maybe this will answer some of your questions.

> http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2817396,00.html

Not really.  IP Chains already IS stateful.  That's what the modules
for Active FTP, Real Audio, Quake, etc. are for.  Realistically, IP Tables
doesn't have much over IP Chains for most application sand is a pain to deal
with.

Someone claimed that a Cisco is needed for significant bandwidth.  The
general rule of a thumb is that a middle-of-the-line 486 has no trouble
handling T1/Cable modem speeds with IP Chains and a high end Pentium can
handle T3 speeds.

> Denny Chambers
> Linux Java Engineer

> > -----Original Message-----
> > From: Mark [mailto:mph at bravo-64-128-248-9.telocity.com]On Behalf Of Mark
> > Hurley
> > Sent: Wednesday, October 17, 2001 8:53 PM
> > To: ale at ale.org
> > Subject: Re: [ale] stateful firewall?
> >
> > On Wed, Oct 17, 2001 at 11:15:38AM -0700, Bao C. Ha wrote:

> > > > I've been working for the past day or so on setting up
> > > > ipchains to use as my company's firewall.  Then the
> > > > one of our senior IT guys came by and said "Linux
> > > > boxes don't make firewalls.  They make good proxies,
> > > > but not firewalls.  Linux has no stateful firewalls".

He's wrong.  Ask him to describe an attack scenario that his solution
(Cisco? Checkpoint?) can handle that IP Chains cannot.  I doubt he can.

> > > Wow!  So tell me what do you need to do from a stateful
> > > firewall that Ipchains cannot provide.  A lot of time,
> > > stateful firewall is just a buzz/FUD marketing word.
> > > I would ask for clarification on the requirements that
> > > does utilize a stateful firewall.

Yup.  Firewall vendor FUD.  I've seen it in action.

> > Agree, if your senior IT guy would like to talk about the firewall, I
> > would be more than happy to eat a free lunch.

> > > > I know in Bob Toxen's book it's mentioned that the 2.4
> > > > kernel provides a stateful firewall capability called
> > > > NETFILTER.  Has anyone had any experience with this?
> > > > Good/bad?  Is it stable enough to use in a production
> > > > environment?

Yeah, RH7.1 would not even compile all of the IP Tables modules needed for a
typical installation.  Sloppy.  I had to download a newer kernel for my
client.

> > > Yes! Iptables/netfilter can do banging job as a stateful
> > > firewall.  It works great.  Just make sure that you use
> > > the most recent one.  There is a security hole in the
> > > ip_conntrack_ftp in April, I think.

> > If you would like to read more on that security flaw check out one of
> > the links.  In short, it affected kernels 2.4.3 and below.  A patch is
> > posted, but I would opt for one of the more recent kernels.

> > Ohh links...

> > http://netfilter.samba.org/security-fix/index.html
> >  -- or --
> > http://www.tempest.com.br/advisories/01-2001.html

> > > > If it is stable enough, we have installed RH 7.1,
> > > > which uses the 2.4, so we're good to go.  However, the
> > > > IT guy also seems to think that all linux
> > > > distributions have too many holes (with the exception
> > > > of the NSA's distribution, which he mentioned in
> > > > passing).  It was my impression that I could disable
> > > > pretty much every service on the box (with the
> > > > exception of those that *have* to be running to
> > > > function as a firewall) and we'd be pretty secure.  Is
> > > > this not the case?

MS FOD.  Cisco FOD.  Cisco proudly bosts in its PIX literature that its
firewalls and other products are much more secure than Unix (and, by
implication, Linux because they have a carefully written proprietary OS.)
Then they add IIS for management, along with all of IIS's security holes.

> > > I build firewalls from scratch.  Sometimes I use Slackware
> > > or Debian and strip it to the bare minimum.

Ditto.

> > > The answer to your question is YES, with reservations.
> > > That includes any Unices, Solaris/AIX/HPUX.

> > Agreed (ouch blanket statement?)  For clarification, I agree ANY OS
> > can be made more secure.  Goes along with the house/windows/door
> > thing, when you buy a house are you sure it is locked and all
> > windows are closed? As with any OS, comes responsibility.  Not at just
> > installing a quick fix to alleviate all your ailments, but in having a
> > mature Net Admin. who is willing to be anal. (can we say that on air?)

A properly configured Linux firewall is damn secure.

> > As many would point out some OS's are more secure by default than
> > others, including "web servers" (pun intended).

> > Mark Hurley

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list