[Gllug] Firewall distro

Ian Northeast ian at house-from-hell.demon.co.uk
Fri Feb 4 20:27:36 UTC 2005 

Simon Wilcox wrote:
> Hello,
> 
> I've been asked to host a Windows server and since I would trust the
> security of it about as far as I could spit out a rat, I want to put it
> behind a firewall.
> 
> I've configured our other servers (debian) using the standard iptables
> stuff and that seems to be fine but I don't have a vast experience of
> doing this to build firewalls.
> 
> What recommendations would people have for either apps to run on top of
> debian to help configure the firewall and/or distros that specifically
> target this application ?
> 
> In addition to the firewall itself (which should probably act as a bridge
> rather than a router and wouldn't need NAT), I'd be interested in running
> Snort or similar for intrustion detection and potentially a VPN but that
> is a secondary requirement.

I've had good experiences with http://www.fwbuilder.org/ and 
http://www.devil-linux.org/home/index.php.

I'd only use fwbuilder for a fairly complex requirement. For something 
simple I'd code the rules by hand. It's got an interface very similar to 
Firewall-1's so people experienced with that find it extremely 
straightforward. But it's not hard if you're not used to FW-1.

Devil Linux is nice as it runs off CD and uses the disk only for logs. 
The configuration goes on a floppy which can be read protected. So if 
someone does hack it, there's nothing to damage.

I ran the web site of a multinational behind such a firewall on a PII 
for nearly a year. This thing was hideously complex due to some rather 
bizarre management decisions, it had 4 NICS, managed 2 separate DMZs and 
  had about 1800 iptables rules. Despite this, I was able to demonstrate 
that it really could manage sustained 100Mb/s throughput. There was a 
spare sitting on top of it in case the old hardware failed.

I rather agree with Tet, OpenBSD is perfect for firewalls. It's what I 
use at home, on a laptop so old it was free, as was the spare I keep 
handy in case of hardware trouble. Fwbuilder can be used to build 
OpenBSD firewalls too, although I don't, my needs are simple so I write 
the rules by hand.

I've not used any of this for a bridging firewall though. I understand 
that a Linux bridging firewall actually has a router in the middle, so 
they may be applicable. And I know nothing about running a bridging 
firewall on OpenBSD.

Regards, Ian

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list