Imo iptables is a reasonably good stateful firewall and is fine in most cases. However, a very wise person once said that the ideal setup is to layer more than one implementation of packet filter and firewall between the wild and a host/network you wish to protect. Ideally implementations on diverse platforms.
One example for consideration is a cisco packet filter (acls) that may allowed fragmented packets to traverse its filters, but once passed on to an iptables ruleset might get discarded because iptables was written seperately from cisco's implementation and happens to catch this case and a few other cases that were missed. Make your network an onion if you can engineer a method to easily manage your rules. That said, I use only iptables to filter my home network and either it is doing a great job or nobody is interested in attacking my host (likely both). For me, it does the job as nothing is revenue generating for myself or others -- its important, but not critical. If I had a client that wanted to sell stuff on the web and handling ccard ordering of a product, as well as all their corporate email, then I would be more thoughtful of additional measures to protect the network. In my work environment every so often developers or others turn off our iptables rulesets without telling us, as it is easy (one little command). In such cases the cisco packet filter will offer some protection and disabling such filters is more work than our developers care to struggle against. Iptables/ipf and any other stateful firewall that attempts to be a modern contender in the firewalling ring is likely 'good enough'. My point is that while I like iptables, it and every other filter out there will fall subject to some method of circumvention/exploitation at some point, and that how much effort you put into hardening your network is up to you. Your question almost seems to be "is iptables developed enough to compete with commercial solutions", to which I would say "yes, if the person deploying the rules is experienced enough to write a solid set of rules". If I was you, I would be satisfied with iptables and the hardware you have selected -- but I am not you, and this decision is not mine to make. No matter where you set the bar there will still be more secure solutions. "secure enough" is all a state of paranoia and budget. :) -ian On Wed, 19 Mar 2003, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. > > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) > > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. > > thanks > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
