[EMAIL PROTECTED] wrote: > > Has anyone found making a debian machine with firewall support useful?
Yes, very much so > What are firewalls useful for? Do they simply prevent packets from passing > through the firewall into the rest of the network? It depends. "Firewall" can mean different things: It may be a packet filtering firewall which does what you think it does. This functionality is built into the kernel (needs a recompile, probably). The interface to change its behavior is ipchains (for the 2.2.x-kernel, 2.0.x and 2.4.x use other means), i.e. you write a shell script that gets executed in a runlevel, which sets your config. Another type of firewall is a proxying firewall. There is a package called SOCKS that does this (maybe others too). Proxies work on the application level, IIRC, and so can know things that apacket filtering firewall can't know. They need the ability to use the proxy compiled into client programs too, though. > Would a firewall > necessarly have to be also configured to be a router? Again, it depends. A proper firewall should be a standalone machine without user accounts, without network services running and with as little SW as possible installed (no compilers, ...). If behind the firewall you have a network then, yes, it can do routing, too. It can also do IP masquerading. Note that there are much more sophisticated setups with "demilitarized zones" around the firewall and all kinds of stuff. What to build depends on your security requirements. OTOH, you can have packet filtering enabled on a standalone workstation with dial-up or cable/dsl access. No routing in this case, of course. This way, you at least can stay out of random script-kiddie portscans (or your cable provider's scans). It's also great to be able to control what's allowed to go /out/, e.g., when you're configuring network stuff and don't want your MTA to send mail to [EMAIL PROTECTED] instead to [EMAIL PROTECTED] :o) Note that you should never rely on firewall security alone, but have your services configured properly, too (tcp wrappers, etc.). You don't want your machines completely open when the firewall is compromised. > Any info you guys > can provide would be useful. I was thinking about making one of my debian > machies a firewall, but don't really know what I would do with it:) I recommend the book Linux Firewalls by Robert L. Ziegler, New Riders, ISBN 0-7357-0900-9. He has also a webpage http://www.linux-firewall-tools.com/ with lots of info and a nifty tool where you answer questions and it will generate a firewall script for you. If you're security requirements are modest, this is maybe all you need. There are other books too, like Building OpenBSD and Linux Firewalls (IIRC), but I don't know them. There are also some GUI firewall tools for gnome, like firestarter and others (see www.gnome.org), probably for KDE, too. Note, however, that at least firestarter is AFAIK made to work with RedHat, so it needs a bit tweaking to work with the debian way of init. Very good reading is also Securing and Optimizing Linux, http://www.openna.com/books/book.htm Note that it's for RedHat, but it's easy to apply it to debian A nice exercise is to scan/attack your machine/network from the outside before and after the firewall is in place. If you're lazy ;o) a quick way to get a portscan on the well known ports done is to use Shields Up! at http://www.grc.com/ (disable your isp's proxy in your browser settings before, otherwise not you but your isp's proxy will be scanned!). You want it to report "stealth" for every port you don't need available from the outside Hope this helps (well, I'm sure) Greetings -- I did not vote for the Austrian government Linux: The choice of a GNU generation. Visit http://www.gnu.org/
