[ale] recommendations for a..... standalone Linux securityfirewall...

Chris Kleeschulte chris.kleeschulte at it.libertydistribution.com
Wed Nov 5 10:28:43 EST 2008 

Courtney:


Thanks for challenging me and informing me. I did not remember that  
act. I do recall it now, something in there about paying extra on a  
phone bill for people who live out in the sticks :)

Pfsense is, like m00nwall and the others, a self-contained FreeBSD  
distro completely configured for use on a PC-based machine, even one  
that is low-end. You will need 2 network cards in it. You can  
accomplish this cheaply and easily by using a usb version or cheap pci  
card. What is neat about pfsense are the packages that one can add  
easily from the user interface after booting. The website can give you  
details on that. It is quite detailed.

I use pfsense as a transparent proxy and firewall, but most people use  
it to SNAT, I suppose. Now nessus is a separate app that scans your  
network entities for vulnerabilites against a pretty extensive list of  
plugins (it is not a firewall). You can also run it on a cd from  
anywhere on your network. I usually run this from my firewall daily. I  
chose to install pfsense on a hard disk leaving my cdrom free to run  
other things.

Linux kernels have access to iptables and BSD kernel typically use  
packet filter (PF), just 2 implementations that similar functionality  
(generally). I am more familiar with iptables, but after learning PF,  
it is ok too.




Chris

On Nov 5, 2008, at 10:08 AM, Courtney Thomas wrote:

> Please see insertions below:
>
>
>
>
> ----- Original Message -----
> From: "Chris Kleeschulte" <chris.kleeschulte at it.libertydistribution.com 
> >
> To: <ale at ale.org>
> Sent: Wednesday, November 05, 2008 9:16 AM
> Subject: Re: [ale] recommendations for a..... standalone Linux
> securityfirewall...
>
>
>> On Nov 14, 2008, at 1:49 AM, Courtney Thomas wrote:
>>
>>> Greetings !
>>>
>>> I want to use a standalone Linux box, possibly running from a CD and
>>> through
>>> which all must pass, at least from the internet, that will be a
>>> firewall for
>>> my home LAN. But if running from a CD gains nothing, forget it. I  
>>> have
>>> several older idle boxes if they'd suffice. I can also go wired or
>>> wireless,
>>> and am receptive to any setup.
>>>
>>> What recommendation(s) do you have for such a box, please ?
>>>
>>> I'd like it to be simple, if possible, as I doubt the KGB (or
>>> whatever they
>>> call themselves now) are going to put a lot into seeing what I'm up
>>> to.
>>>
>>> I don't so much need 'secure communications' as I've now given up
>>> moonlighting for the KGB, but simply want to keep internet intruders
>>> off my
>>> home LAN.
>>>
>>> But if actually it's not significantly more difficult to set this up
>>> to be a
>>> 'real handful' than to just minimally put something in the
>>> way......then of
>>> course I'd be pleased to lock out the U.S. government which has
>>> damaged and
>>> further threatens our future well being way more than the Russians
>>> ever
>>> dreamed of accomplishing   :-)   Sorry, but I can't remember the
>>> Communications Act that has been inflicted on U.S. citizens creating
>>> an
>>> opaque, furtive, and uncontrolled power to surveil you. The only
>>> thing I
>>> want to hide from government is my freedom and privacy.
>>
>> If that is not inviting many many threads on this list, I do not know
>> what is. I would use Pfsense...it has worked smashingly for me and is
>> very friendly to work with, although it is technically FreeBSD and  
>> not
>> Linux.
>
> Chris,
>
> Is it therefore required to first run FreeBSD which provides pfsense ?
>
> I prefer iptables to pf myself, but after using pfsense for
>> awhile, I am sold on it.
>
> Why, as opposed to iptables ?
>
> The developers did a bang up job,
>>
>> As for the "Communications Act", I assume you mean Patriot Act or
>> something equally inflammatory to certain groups.
>
> No. I was referring to a Communications Act which I believe was  
> enacted in
> '94
> which gives the [basically] white house unrestrained police state  
> powers to
> spy
> on U.S. citizens without recourse or due process. Eisenhower warned  
> of the
> threat of the military industrial complex as, I believe, his last  
> official
> words to
> U.S. citizenry.
>
> Most security
>> measures people take are to make sure they are not "low hanging  
>> fruit"
>> for those who would do them harm. If you use stateful packet
>> inspection, do not allow syn packets in from the wan, use host and
>> network based intrusion detection and a security scanner like nessus,
>> then you have raised your prospects of being harmed to very low.
>
> Is nessus to be used in addition to or a suggested substitute for a  
> firewall
> or is it
> regarded as a firewall ?
>
>
>> Simply reviewing the logs on your firewall is way ahead of most
>> people. I like to focus on outbound traffic from my network since  
>> this
>> traffic is more liberally allowed out by me.
>>
>
> Understood. If they get in who cares ? The problem is, what they do  
> once in.
>
> Thank you for your offerings,
>
> Courtney
>
>
>>
>>
>>>
>>>
>>> Once more, appreciatively,
>>>
>>> Courtney
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale

More information about the Ale mailing list