[PLUG] Firewall Suggestions?

Shannon C. Dealy dealy at deatech.com
Fri Jun 21 14:49:03 PDT 2002

On Fri, 21 Jun 2002, Sandy Herring wrote:

> On Fri, 21 Jun 2002, AthlonRob wrote:
> > Hi-
> >
> > I'm trying to set up a firewall. [...]
> >
> > I don't want to mess with connections originating from inside the LAN...
> > but I don't want anybody to be able to set up a LISTENING service which
> > people could access from the Internet... unless I, root, say they can.
> >
> > Any suggestions as to an iptables-based firewall configuration program or
> > script or something?  :-)
> You may have a shorter learning curve with TCP Wrappers than with iptables
> or ipchains. Just edit /etc/hosts.allow and /etc/hosts.deny and restart
> xinetd. See `man 5 hosts_access' and `man host_options'. You can easily
> allow outbound traffic and limit inbound connections.

TCP Wrappers won't prevent anyone from setting up an insecure listening
service, it only applies to programs specifically coded to support it, or
those programs which have been "wrapped" by it through running it within
the wrapper script (usually done from within inetd or one of it's
variants).  Any program without TCP wrappers support, or launched from
outside the wrapper is completely unprotected.

Setting up a firewall to meet the above requirements can be a little
complicated, since you are trying to protect it from both internal
mistakes/abuse and external attacks, generally, the simplest approach is
to not let the users do anything "through" the firewall, and instead setup
a proxy server for them to use and configure your firewall to block
everything but the proxy.  Then as new services are needed, add different
proxies and/or open up the firewall for just the desired service,
preferably with limiting the use of the service to as few internal
computers as is practical.

Unfortunately, since I have always done my firewalls by hand, I don't know
how good any of the firewall programs are.  I have heard some good things
about bastille, but have no first hand knowledge.  One little warning,
from the configuration programs/scripts I have seen in the past, I think
in most cases, you really need to take the time to understand firewalls to
use these scripts safely and effectively, otherwise most of them will
allow you to configure a firewall which is wide open.

Shannon C. Dealy      |               DeaTech Research Inc.
dealy at deatech.com     |          - Custom Software Development -
                      |    Embedded Systems, Real-time, Device Drivers
Phone: (800) 467-5820 | Networking, Scientific & Engineering Applications
   or: (541) 451-5177 |                  www.deatech.com

More information about the PLUG mailing list