FW: Linux Security -- Firewalling with ipchains

Lucas Vogel lvogel@exponent.com
Wed, 26 Jul 2000 12:48:18 -0700 

> -----Original Message-----
> From: ITworld Newsletters [mailto:itwnews@itwpub1.com]
> Sent: Tuesday, July 25, 2000 12:56 PM
> To: vogell@yahoo.com
> Subject: Linux Security -- Firewalling with ipchains 
> 
> 
> LINUX SECURITY --- July 25, 2000
> Published by ITworld.com, the IT problem-solving network
> http://www.itworld.com/newsletters
> 
> *********************************************************************
> HIGHLIGHTS
> 
> * Firewalling:  It's more important than you think
> 
> ********************************************************************* 
> ADVERTISEMENT
> 
> FIREWALLS ARE VULNERABLE TO INTERNET STREAMING MEDIA
> 
> Most firewalls have to open their main gates to allow UDP streaming
> media (Financial Real-Time data feeds, Video Conferencing and 
> Broadcast
> feeds) through. "An open door invitation for intruders to access."
> NEC's e-Border complements firewalls and protects networks with UDP
> traffic.
> http://ad.doubleclick.net/clk;1528809;4509461;n
> 
> *********************************************************************
> Firewalling Linux with IPCHAINS
> by Rick Johnson
> 
> The basis of securing any network is a decent firewall and the first 
> choice should always a dedicated firewall appliance at the front line 
> that allows reasonable control of traffic entering from the outside. 
> However, firewalling is a task typically avoided by Linux 
> administrators. I continually hear the same reason:  "It is too 
> complicated," or my favorite, "It is not that important, I stay up to 
> date on bug fixes and patches". Well, it is that important 
> and does not 
> need to be so complicated.
> 
> Even with a firewall protecting the server from the outside 
> world, it is 
> always wise to firewall the local box itself. Thankfully, the 
> world of 
> Linux has made it possible with ipchains. Paul "Rusty" 
> Russell deserves 
> tremendous praise for such a well-designed product.
> 
> If you have tried to firewall any of the current Linux distributions, 
> then ipchains is not foreign to you.  I will admit, it can be 
> intimidating for those who are new to firewalls; but for a free, 
> built-in packet filter, it is an indispensable tool for securing your 
> box. The best part is, most distros are configured and ready to use 
> ipchains straight out of the box.
> 
> To truly do justice to this tool, we would easily need more 
> space than 
> this newsletter provides. Therefore, I will not even pretend 
> to cover it 
> all here. For an in-depth description, you really should read the 
> ipchains HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html).
> 
> However, if taking the time to learn firewall construction inside and 
> out just does not fin in your schedule, there is still hope. 
> The Linux 
> community has once again provided a number of automatic configuration 
> tools to get you started. A search of Freshmeat.net easily 
> turns up over 
> 25 different tools to accomplish this task. I would like to point out 
> that, while an out-of-the-box tool is great for beginners it 
> should only 
> be used as a starting point -- there is no substitute for a carefully 
> written and diligently maintained firewall script.
> 
> The tool I prefer for generating a starting ipchains firewall is 
> PMFirewall (http://www.pmfirewall.com). This firewall should work for 
> most Workstations, Servers and Dual NIC routers using a dialup, DSL, 
> Cable or LAN setup. It is restrictive to outside attacks while still 
> being transparent to those inside. Why do I chose PMFirewall 
> over some 
> of the other fine tools available? The answer has nothing to 
> do with one 
> being better than another -- it is far simpler, I wrote it.
> 
> For those who need it, a step-by-step installation tutorial 
> is available 
> on the Mandrake Linux Web site. 
> (http://www.linux-mandrake.com/en/demos/Networking/IPmasq/page
> s/ipmasq3.php3)
> 
> Neither this nor any automatic firewall configuration program is as 
> secure as one carefully written by hand but they are great for 
> developing the initial framework. What you choose to do after 
> that is up 
> to you.
> 
> Resources
> 
> Internal system security enhancements
> http://www.linuxworld.com/linuxworld/lw-1999-07/lw-07-ramparts-3.html
> 
> Securing Linux, Part 2 
> Advanced Linux security
> http://www.linuxworld.com/linuxworld/lw-1999-06/lw-06-ramparts.html
> 
> The back door to FrontPage 
> Meet two open source offerings -- without back doors
> http://www.linuxworld.com/linuxworld/lw-2000-04/lw-04-penguin_3.html
> 
> **************************************************************
> **********
> THE ESSENTIAL OPEN BOOK PROJECT
> 
> The Essential Linux Open Book project needs you! We have one chapter 
> completed and two others nearing completion. If you want to give 
> something back to the community, do it now. 
> http://www.linuxworld.com/linuxworld/idgbooks-openbook/home.html
> 
> **************************************************************
> ********** 
> 
> About the author
> ----------------
> Rick Johnson is currently the Manager of Security Services for an 
> emerging Managed Service Provider. When not writing, he heads the 
> development team for PMFirewall, an Ipchains Firewall and 
> Masquerading 
> Configuration Utility for Linux. Rick can be contacted via email at 
> rick@pointman.org or on the web at http://www.pointman.org.
>  
> *********************************************************************
> IT JOB SPOT 
> 
> Fantastic Security Positions
> 
> With breakthrough projects as unlimited as the Internet itself, MITRE
> has become a force in pioneering technological innovations and solu-
> tions. We thrive on challenges that are beyond the cutting 
> edge. If you
> want an active role in molding the world in the 21st Century, click
> here: http://ad.doubleclick.net/clk;1528816;4461890;o
> 
> ********************************************************************* 
> ITWORLD.COM SERVICES 
> 
> ITCAREERS: Listen to that little voice.
> 
> You know that it's the best job market ever. You know you should check
> it out. Just click over to ITcareers.com and see the newest, freshest
> jobs from America's best companies. Use our Job Alert and let the good
> jobs find you. You're one click away.
> http://ad.doubleclick.net/clk;1400812;4296573;d
> 
> **************************************************************
> *******  
> CUSTOMER SERVICE
> 
> You can subscribe or unsubscribe to any of your e-mail newsletters by 
> updating your form at:
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?
> 
> For subscription changes that cannot be handled via the web, 
> please send 
> an email to our customer service dept: support@itworld.com
> 
> *********************************************************************
> CONTACTS
> 
> * For editorial comments, write Andrew Santosusso, Associate Editor, 
> Newsletters at: andrew_santosusso@itworld.com
> * For advertising information, write Dan Chupka, Account Executive at:
> dan_chupka@itworld.com
> * For all other inquiries, write Jodie Naze, Product Manager,
> Newsletters at: jodie_naze@itworld.com
> 
> *********************************************************************
> 
> Copyright 2000 ITworld.com, Inc., All Rights Reserved. 
> 
> http://www.itworld.com
> 
>