Author: Lucas Vogel Date: Subject: FW: Linux Security -- Firewalling with ipchains
> -----Original Message-----
> From: ITworld Newsletters [mailto:itwnews@itwpub1.com]
> Sent: Tuesday, July 25, 2000 12:56 PM
> To: vogell@yahoo.com > Subject: Linux Security -- Firewalling with ipchains
>
>
> LINUX SECURITY --- July 25, 2000
> Published by ITworld.com, the IT problem-solving network
> http://www.itworld.com/newsletters >
> *********************************************************************
> HIGHLIGHTS
>
> * Firewalling: It's more important than you think
>
> *********************************************************************
> ADVERTISEMENT
>
> FIREWALLS ARE VULNERABLE TO INTERNET STREAMING MEDIA
>
> Most firewalls have to open their main gates to allow UDP streaming
> media (Financial Real-Time data feeds, Video Conferencing and
> Broadcast
> feeds) through. "An open door invitation for intruders to access."
> NEC's e-Border complements firewalls and protects networks with UDP
> traffic.
> http://ad.doubleclick.net/clk;1528809;4509461;n >
> *********************************************************************
> Firewalling Linux with IPCHAINS
> by Rick Johnson
>
> The basis of securing any network is a decent firewall and the first
> choice should always a dedicated firewall appliance at the front line
> that allows reasonable control of traffic entering from the outside.
> However, firewalling is a task typically avoided by Linux
> administrators. I continually hear the same reason: "It is too
> complicated," or my favorite, "It is not that important, I stay up to
> date on bug fixes and patches". Well, it is that important
> and does not
> need to be so complicated.
>
> Even with a firewall protecting the server from the outside
> world, it is
> always wise to firewall the local box itself. Thankfully, the
> world of
> Linux has made it possible with ipchains. Paul "Rusty"
> Russell deserves
> tremendous praise for such a well-designed product.
>
> If you have tried to firewall any of the current Linux distributions,
> then ipchains is not foreign to you. I will admit, it can be
> intimidating for those who are new to firewalls; but for a free,
> built-in packet filter, it is an indispensable tool for securing your
> box. The best part is, most distros are configured and ready to use
> ipchains straight out of the box.
>
> To truly do justice to this tool, we would easily need more
> space than
> this newsletter provides. Therefore, I will not even pretend
> to cover it
> all here. For an in-depth description, you really should read the
> ipchains HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html).
>
> However, if taking the time to learn firewall construction inside and
> out just does not fin in your schedule, there is still hope.
> The Linux
> community has once again provided a number of automatic configuration
> tools to get you started. A search of Freshmeat.net easily
> turns up over
> 25 different tools to accomplish this task. I would like to point out
> that, while an out-of-the-box tool is great for beginners it
> should only
> be used as a starting point -- there is no substitute for a carefully
> written and diligently maintained firewall script.
>
> The tool I prefer for generating a starting ipchains firewall is
> PMFirewall (http://www.pmfirewall.com). This firewall should work for
> most Workstations, Servers and Dual NIC routers using a dialup, DSL,
> Cable or LAN setup. It is restrictive to outside attacks while still
> being transparent to those inside. Why do I chose PMFirewall
> over some
> of the other fine tools available? The answer has nothing to
> do with one
> being better than another -- it is far simpler, I wrote it.
>
> For those who need it, a step-by-step installation tutorial
> is available
> on the Mandrake Linux Web site.
> (http://www.linux-mandrake.com/en/demos/Networking/IPmasq/page > s/ipmasq3.php3)
>
> Neither this nor any automatic firewall configuration program is as
> secure as one carefully written by hand but they are great for
> developing the initial framework. What you choose to do after
> that is up
> to you.
>
> Resources
>
> Internal system security enhancements
> http://www.linuxworld.com/linuxworld/lw-1999-07/lw-07-ramparts-3.html >
> Securing Linux, Part 2
> Advanced Linux security
> http://www.linuxworld.com/linuxworld/lw-1999-06/lw-06-ramparts.html >
> The back door to FrontPage
> Meet two open source offerings -- without back doors
> http://www.linuxworld.com/linuxworld/lw-2000-04/lw-04-penguin_3.html >
> **************************************************************
> **********
> THE ESSENTIAL OPEN BOOK PROJECT
>
> The Essential Linux Open Book project needs you! We have one chapter
> completed and two others nearing completion. If you want to give
> something back to the community, do it now.
> http://www.linuxworld.com/linuxworld/idgbooks-openbook/home.html >
> **************************************************************
> **********
>
> About the author
> ----------------
> Rick Johnson is currently the Manager of Security Services for an
> emerging Managed Service Provider. When not writing, he heads the
> development team for PMFirewall, an Ipchains Firewall and
> Masquerading
> Configuration Utility for Linux. Rick can be contacted via email at
> rick@pointman.org or on the web at http://www.pointman.org.
>
> *********************************************************************
> IT JOB SPOT
>
> Fantastic Security Positions
>
> With breakthrough projects as unlimited as the Internet itself, MITRE
> has become a force in pioneering technological innovations and solu-
> tions. We thrive on challenges that are beyond the cutting
> edge. If you
> want an active role in molding the world in the 21st Century, click
> here: http://ad.doubleclick.net/clk;1528816;4461890;o >
> *********************************************************************
> ITWORLD.COM SERVICES
>
> ITCAREERS: Listen to that little voice.
>
> You know that it's the best job market ever. You know you should check
> it out. Just click over to ITcareers.com and see the newest, freshest
> jobs from America's best companies. Use our Job Alert and let the good
> jobs find you. You're one click away.
> http://ad.doubleclick.net/clk;1400812;4296573;d >
> **************************************************************
> *******
> CUSTOMER SERVICE
>
> You can subscribe or unsubscribe to any of your e-mail newsletters by
> updating your form at:
> http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?
>
> For subscription changes that cannot be handled via the web,
> please send
> an email to our customer service dept: support@itworld.com >
> *********************************************************************
> CONTACTS
>
> * For editorial comments, write Andrew Santosusso, Associate Editor,
> Newsletters at: andrew_santosusso@itworld.com > * For advertising information, write Dan Chupka, Account Executive at:
> dan_chupka@itworld.com > * For all other inquiries, write Jodie Naze, Product Manager,
> Newsletters at: jodie_naze@itworld.com >
> *********************************************************************
>
> Copyright 2000 ITworld.com, Inc., All Rights Reserved.
>
> http://www.itworld.com >
>
(text/plain)