[Dshield] firewall help request

John Hardin johnh at aproposretail.com
Fri Oct 3 16:00:34 GMT 2003


On Thu, 2003-10-02 at 22:34, Roman Fomichev wrote:
> As I understand, John, you can't do nothing then packet filtering on 
> linux. No stateful firewall, no proxing technologies....
> Linux with iptables is good for very low cost solutions or for home 
> solution, where two skilled people using opera browser surh the net.

iptables *is* a stateful firewall, at least at the TCP level. Netfilter
modules let you add protocol-specific statefulness as needed. 

No proxying? Squid is a very capable HTTP and FTP proxy. There are other
packages for other protocols.

Granted, not very many have fancy GUI interfaces.

The tradeoff is, of course, time and skill vs. money. If you want to
save money, you have the time to configure it, and you have or want to
develop the skills to do so, just about any Linux distro will provide
excellent firewalling. There are several mini-distros that are
specifically tuned to this application.

If you don't want to mess about with it that much, and are willing to
base your security on a black box whose internal operation you're
trusting someone else to get right, then a "firewall appliance" is a
reasonable solution.

BTW, I apologize for mentioning it in the first place - I didn't notice
that the original poster specifically mentioned that they wanted
recommendations for appliances rather than more broad suggestions.

--
John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
  There is no problem that cannot be solved by the appropriate
  application of high explosives.
-----------------------------------------------------------------------
 33 days until Matrix Revolutions




More information about the list mailing list