[Gllug] Firewall distro
Ian Northeast
ian at house-from-hell.demon.co.uk
Fri Feb 4 20:27:36 UTC 2005
Simon Wilcox wrote:
> Hello,
>
> I've been asked to host a Windows server and since I would trust the
> security of it about as far as I could spit out a rat, I want to put it
> behind a firewall.
>
> I've configured our other servers (debian) using the standard iptables
> stuff and that seems to be fine but I don't have a vast experience of
> doing this to build firewalls.
>
> What recommendations would people have for either apps to run on top of
> debian to help configure the firewall and/or distros that specifically
> target this application ?
>
> In addition to the firewall itself (which should probably act as a bridge
> rather than a router and wouldn't need NAT), I'd be interested in running
> Snort or similar for intrustion detection and potentially a VPN but that
> is a secondary requirement.
I've had good experiences with http://www.fwbuilder.org/ and
http://www.devil-linux.org/home/index.php.
I'd only use fwbuilder for a fairly complex requirement. For something
simple I'd code the rules by hand. It's got an interface very similar to
Firewall-1's so people experienced with that find it extremely
straightforward. But it's not hard if you're not used to FW-1.
Devil Linux is nice as it runs off CD and uses the disk only for logs.
The configuration goes on a floppy which can be read protected. So if
someone does hack it, there's nothing to damage.
I ran the web site of a multinational behind such a firewall on a PII
for nearly a year. This thing was hideously complex due to some rather
bizarre management decisions, it had 4 NICS, managed 2 separate DMZs and
had about 1800 iptables rules. Despite this, I was able to demonstrate
that it really could manage sustained 100Mb/s throughput. There was a
spare sitting on top of it in case the old hardware failed.
I rather agree with Tet, OpenBSD is perfect for firewalls. It's what I
use at home, on a laptop so old it was free, as was the spare I keep
handy in case of hardware trouble. Fwbuilder can be used to build
OpenBSD firewalls too, although I don't, my needs are simple so I write
the rules by hand.
I've not used any of this for a bridging firewall though. I understand
that a Linux bridging firewall actually has a router in the middle, so
they may be applicable. And I know nothing about running a bridging
firewall on OpenBSD.
Regards, Ian
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list