> -----Original Message----- > From: ITworld Newsletters [mailto:itwnews@itwpub1.com] > Sent: Tuesday, July 25, 2000 12:56 PM > To: vogell@yahoo.com > Subject: Linux Security -- Firewalling with ipchains > > > LINUX SECURITY --- July 25, 2000 > Published by ITworld.com, the IT problem-solving network > http://www.itworld.com/newsletters > > ********************************************************************* > HIGHLIGHTS > > * Firewalling: It's more important than you think > > ********************************************************************* > ADVERTISEMENT > > FIREWALLS ARE VULNERABLE TO INTERNET STREAMING MEDIA > > Most firewalls have to open their main gates to allow UDP streaming > media (Financial Real-Time data feeds, Video Conferencing and > Broadcast > feeds) through. "An open door invitation for intruders to access." > NEC's e-Border complements firewalls and protects networks with UDP > traffic. > http://ad.doubleclick.net/clk;1528809;4509461;n > > ********************************************************************* > Firewalling Linux with IPCHAINS > by Rick Johnson > > The basis of securing any network is a decent firewall and the first > choice should always a dedicated firewall appliance at the front line > that allows reasonable control of traffic entering from the outside. > However, firewalling is a task typically avoided by Linux > administrators. I continually hear the same reason: "It is too > complicated," or my favorite, "It is not that important, I stay up to > date on bug fixes and patches". Well, it is that important > and does not > need to be so complicated. > > Even with a firewall protecting the server from the outside > world, it is > always wise to firewall the local box itself. Thankfully, the > world of > Linux has made it possible with ipchains. Paul "Rusty" > Russell deserves > tremendous praise for such a well-designed product. > > If you have tried to firewall any of the current Linux distributions, > then ipchains is not foreign to you. I will admit, it can be > intimidating for those who are new to firewalls; but for a free, > built-in packet filter, it is an indispensable tool for securing your > box. The best part is, most distros are configured and ready to use > ipchains straight out of the box. > > To truly do justice to this tool, we would easily need more > space than > this newsletter provides. Therefore, I will not even pretend > to cover it > all here. For an in-depth description, you really should read the > ipchains HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html). > > However, if taking the time to learn firewall construction inside and > out just does not fin in your schedule, there is still hope. > The Linux > community has once again provided a number of automatic configuration > tools to get you started. A search of Freshmeat.net easily > turns up over > 25 different tools to accomplish this task. I would like to point out > that, while an out-of-the-box tool is great for beginners it > should only > be used as a starting point -- there is no substitute for a carefully > written and diligently maintained firewall script. > > The tool I prefer for generating a starting ipchains firewall is > PMFirewall (http://www.pmfirewall.com). This firewall should work for > most Workstations, Servers and Dual NIC routers using a dialup, DSL, > Cable or LAN setup. It is restrictive to outside attacks while still > being transparent to those inside. Why do I chose PMFirewall > over some > of the other fine tools available? The answer has nothing to > do with one > being better than another -- it is far simpler, I wrote it. > > For those who need it, a step-by-step installation tutorial > is available > on the Mandrake Linux Web site. > (http://www.linux-mandrake.com/en/demos/Networking/IPmasq/page > s/ipmasq3.php3) > > Neither this nor any automatic firewall configuration program is as > secure as one carefully written by hand but they are great for > developing the initial framework. What you choose to do after > that is up > to you. > > Resources > > Internal system security enhancements > http://www.linuxworld.com/linuxworld/lw-1999-07/lw-07-ramparts-3.html > > Securing Linux, Part 2 > Advanced Linux security > http://www.linuxworld.com/linuxworld/lw-1999-06/lw-06-ramparts.html > > The back door to FrontPage > Meet two open source offerings -- without back doors > http://www.linuxworld.com/linuxworld/lw-2000-04/lw-04-penguin_3.html > > ************************************************************** > ********** > THE ESSENTIAL OPEN BOOK PROJECT > > The Essential Linux Open Book project needs you! We have one chapter > completed and two others nearing completion. If you want to give > something back to the community, do it now. > http://www.linuxworld.com/linuxworld/idgbooks-openbook/home.html > > ************************************************************** > ********** > > About the author > ---------------- > Rick Johnson is currently the Manager of Security Services for an > emerging Managed Service Provider. When not writing, he heads the > development team for PMFirewall, an Ipchains Firewall and > Masquerading > Configuration Utility for Linux. Rick can be contacted via email at > rick@pointman.org or on the web at http://www.pointman.org. > > ********************************************************************* > IT JOB SPOT > > Fantastic Security Positions > > With breakthrough projects as unlimited as the Internet itself, MITRE > has become a force in pioneering technological innovations and solu- > tions. We thrive on challenges that are beyond the cutting > edge. If you > want an active role in molding the world in the 21st Century, click > here: http://ad.doubleclick.net/clk;1528816;4461890;o > > ********************************************************************* > ITWORLD.COM SERVICES > > ITCAREERS: Listen to that little voice. > > You know that it's the best job market ever. You know you should check > it out. Just click over to ITcareers.com and see the newest, freshest > jobs from America's best companies. Use our Job Alert and let the good > jobs find you. You're one click away. > http://ad.doubleclick.net/clk;1400812;4296573;d > > ************************************************************** > ******* > CUSTOMER SERVICE > > You can subscribe or unsubscribe to any of your e-mail newsletters by > updating your form at: > http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html? > > For subscription changes that cannot be handled via the web, > please send > an email to our customer service dept: support@itworld.com > > ********************************************************************* > CONTACTS > > * For editorial comments, write Andrew Santosusso, Associate Editor, > Newsletters at: andrew_santosusso@itworld.com > * For advertising information, write Dan Chupka, Account Executive at: > dan_chupka@itworld.com > * For all other inquiries, write Jodie Naze, Product Manager, > Newsletters at: jodie_naze@itworld.com > > ********************************************************************* > > Copyright 2000 ITworld.com, Inc., All Rights Reserved. > > http://www.itworld.com > >