[ale] stateful firewall?

Bao C. Ha baoha at sensoria.com
Wed Oct 17 14:15:38 EDT 2001



> 
> 
> I've been working for the past day or so on setting up
> ipchains to use as my company's firewall.  Then the
> one of our senior IT guys came by and said "Linux
> boxes don't make firewalls.  They make good proxies,
> but not firewalls.  Linux has no stateful firewalls".

Wow!  So tell me what do you need to do from a stateful
firewall that Ipchains cannot provide.  A lot of time,
stateful firewall is just a buzz/FUD marketing word.
I would ask for clarification on the requirements that
does utilize a stateful firewall.
> 
> I know in Bob Toxen's book it's mentioned that the 2.4
> kernel provides a stateful firewall capability called
> NETFILTER.  Has anyone had any experience with this? 
> Good/bad?  Is it stable enough to use in a production
> environment?

Yes! Iptables/netfilter can do banging job as a stateful
firewall.  It works great.  Just make sure that you use
the most recent one.  There is a security hole in the
ip_conntrack_ftp in April, I think.

> 
> If it is stable enough, we have installed RH 7.1,
> which uses the 2.4, so we're good to go.  However, the
> IT guy also seems to think that all linux
> distributions have too many holes (with the exception
> of the NSA's distribution, which he mentioned in
> passing).  It was my impression that I could disable
> pretty much every service on the box (with the
> exception of those that *have* to be running to
> function as a firewall) and we'd be pretty secure.  Is
> this not the case?

I build firewalls from scratch.  Sometimes I use Slackware
or Debian and strip it to the bare minimum.  

The answer to your question is YES, with reservations.
That includes any Unices, Solaris/AIX/HPUX.

> Ok, final question.  Assuming NETFILTER is *not* ready
> for production, are there any open source stateful
> firewalls that are?

FreeBSD!

Bao
 

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list