July 6th, 2003, 08:27 PM
What is the best Linux firewall?
Hey, I'm currently setting up an apache server on Linux SuSE 8.1 Pro. and I'm using the Firewall that came with the OS (SuSE Firewall 2) but I was wondering is this a bad firewall or are there better ones out there.
I know that a firewall is only as good as the rules for it are set. However help is needed.
Thanks in advance!
July 6th, 2003, 09:28 PM
You answered your own question by saying "the firewall is only as good as the rules for it are set" i see it as coke or pepsi ,sprite or 7-up, ipfw or ipfilter , .......
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
July 6th, 2003, 09:49 PM
I agree. The rules you set for it make it good. The SuSE firewall is a good one and when you set it up it does do good. Basically just set up your rules to work how you want and you should be fine
July 6th, 2003, 10:43 PM
Nah, come on everyone, for linux iptables is the best firewall . (or ipchains if you haven't reset your linux box to upgrade for a few years)
Google for iptables if you need more information on setting up and configuring.
July 6th, 2003, 11:30 PM
Have to agree with The3ntropy, iptables is the best around.
July 6th, 2003, 11:52 PM
A firewall is a firewall regardless of who makes it or what it is. The defining points that make it a bad, good, or the best firewall are few. They include the user. This is the main point. I could take iptables (since The3ntropy feels it is the best) and I could take Outpost for Windows.. I could spend hours setting up Outpost and then add one rule to iptables that says allow all. I think it'd be obviously there which firewall is better. At the same time the customization plays a big part. Does your firewall let you customize things as much as you like. Visnetic Firewall from Deerfield.com would be a good example of this. IMHO they have built a great PC firewall but they have one BIG flaw. If you are a DSL user you need PPPoE enabled, however they have this blocked in a category they refer to as "Other Protocols". I can't enable just PPPoE.. I have to enable all of their "Other Protocols", this doesn't exactly allow for the customization I want. If you are a competent user and your firewall is fully customizable then you can't define bad, good or best.
As a side note SuSE Firewall2 is simply a script. It uses iptables to do it's actual firewalling.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
July 7th, 2003, 05:44 AM
The whole garbage about something being only as good as it is configured is really a BS answer. Different firewalls, like different operating systems offer different architectures and functionalities and levels of assurance.
If you are looking for a firewall that can verify the actual content of the data iptables is utterly worthless as it lacks this functionality. Just like Zone Alarm can prevent specific programs from sending connections and IPF cannot, IPF can hold state on UDP packets and Zone Alarm cannot. These are all different questions of functionality. After this comes level of assurances, for examples of assurance criteria, checkout the following ISO-15408 evaluations
How does all of this relate to you SirDirge? Since it doesn't sound like you are segregating network traffic is you only wish to protect a single server (if this is the case) I do not think that a packet filtering type firewall would work well for you as you should close all the ports you don't want open rather than filtering them. A filtering firewall will not protect the services that you are allowing either. In this type of situation, though I am not sure your skill level, the FireWall Tool Kit (http://www.fwtk.org/ )is very good as it can actually protect the services that you are allowing everyone access to. Other commercial solutions are better of course, but FWTK is free. (it also has modules to handle port filtering as well if you decide you need it.)
July 7th, 2003, 08:23 AM
A dedicated oBSD box with authPF and packet filtering is nice and cozy.
July 7th, 2003, 03:27 PM
Thanks to you all. Your help was much apreciated.
July 7th, 2003, 03:59 PM
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;