Jump to content

Linx Server Firewall


beastmasta

Recommended Posts

Monowall is a stand alone system based on FreeBSD.

It depends if you are running any other servers on the system that you don't wish to be be publicly accessible. You might not need one because on a server you generally know exactly what's running and usually the stuff you run is there to provide service to people. If you have something you want to only be accessible from your own network you might want something (I use FreeBSD so I don't know what firewalls are typically used on Linux specifically, but ipf is avilable for Linux). You don't want a personal firewall like on Windows though when you are running a server, you will just want a firewall running with some static rules you have written.

Link to comment
Share on other sites

iptables is probably the firewall you'll want to use if it's running on the same computer as the server. It's pretty easy to set up and the rules are fairly straight forward.

A quick Google search will give you some good results but just ask if you've got any specific questions.

Ben

Link to comment
Share on other sites

no one seems to have asked this yet, so i will: "Do you actualy need a firewall?"

I have a FreeBSD server and that doesn't have a firewall. It is running lots of stuff but it's behind a hardware firewall, as such a software firewall would be of little use.

Link to comment
Share on other sites

no one seems to have asked this yet, so i will: "Do you actualy need a firewall?"

I have a FreeBSD server and that doesn't have a firewall. It is running lots of stuff but it's behind a hardware firewall, as such a software firewall would be of little use.

Explain please, you say you have no firewall, yet you have a hardware firewall. Do you mean that FreeBSD has its own firewall built in (prehaps a better quality one than the one built into XP *shudders*), or do you mean that you have a seperate firewall, that your server runs through, thus eliminating the need for a software firewall...?

Link to comment
Share on other sites

No, I mean my Internet connection is hardware firewall'ed. There is a highly remote chance that uncilisited trafic could get though on any port except 80. As such a software firewall is fairly usless on my server.

My point is if you only want specific ports open to the Internet and your server is behind a hardware firewall, a software firewall is prety reduntant. Unless its on a big network with unmonitored computer use, but then for the sake of ease you might give it it's own hardware firewall. Although in that instance a software firewall would be more cost effective.

Link to comment
Share on other sites

If you're already on a network that is firewalled you'll probably get away with it. If you're putting it on some form of DMZ well...If you just turn off all the services that you don't need then you should be OK (a few nmap scans should help you here).

Otherwise, iptables FTW. If, like me, you hate the iptables commands, use a configuration script. I use one called FireHOL, but that's for my Gentoo Linux Firewall box, and I think that's what it was made to make (ie. routing, not as a static box). There are others as well that I have forgotten, a google search for iptables generator or something should find you some.

Link to comment
Share on other sites

I just got a Cisco PIX 525 Firewall and it’s brilliant and would recommend any Cisco Firewall as I have been using them for years. I don’t use software firewalls on any of my servers or Linux desktops as it world be a waste of system resources and I only put them on laptops.

If you have a old box laying around you can make your own firewall if you don’t want to shell out the cash for a Cisco or other manufacturers firewall using Smooth Wall or IP Cop.

Link to comment
Share on other sites

I don't run any services that shouldn't be publically accessible on the machines that provide me with internet connectivity. Since the big idea behind a firewall would be to either log access attempts (meh. Like I care someone portscans my machine) or to prevent access to services I shouldn't be running on that box in the first place.

One idea might be to use the IDS Snort which will block traffic that is known to contain exploiting data, but that basically means I've implemented a workaround to actually fixing the software that is now known to be broken.

I really don't see the added advantage, in my home network, for a firewall, but I'm open to suggestions.

Link to comment
Share on other sites

it's behind a hardware firewall, as such a software firewall would be of little use.

How much control do you have over that hardware firewall?? If you are the owner, and it's a high end firewall (not just a NAT router), you may have no use for a software firewall.

However, I have a couple of firewall rules that prevent fragmented packets and syn only packets from hitting my server applications. I can't do this with a my NAT router so it is a little suspenders for me.

I don't run any services that shouldn't be publically accessible on the machines that provide me with internet connectivity. Since the big idea behind a firewall would be to either log access attempts (meh. Like I care someone portscans my machine) or to prevent access to services I shouldn't be running on that box in the first place.

Not necessarily true. As stated above, I run many services that I want and use my firewall mainly for logging and added protection.

One idea might be to use the IDS Snort which will block traffic that is known to contain exploiting data, but that basically means I've implemented a workaround to actually fixing the software that is now known to be broken.

If you're running Snort in IPS mode (which you'd need to do to block traffic) you're basically running a firewall.

Ben

Link to comment
Share on other sites

The simple reason for running a firewall on your computer or server as well as a hardware firewall is that the hardware firewall is very good at stopping incoming connections or preventing connections on certain ports or from certain machines. However what a software firewall on the computer will do is be able to stop individual programs from accessing the network.

For example you could have a hardware firewall only and you computer could be infected with a trojan and the hardware firewall wouldn't stop the connections, however most software firewalls would be able to detect it and stop it.

Link to comment
Share on other sites

Its like running certain processes as limited accounts, you only permit traffic from say Apache and Postifx and nothing else out on to the WAN, you could then have a seperate table to lan connections which was more lax.

Link to comment
Share on other sites

Its like running certain processes as limited accounts

Huh?? I'm not sure what running a firewall has to do with account authorization. Could you please explain more??

you only permit traffic from say Apache and Postifx and nothing else out on to the WAN

I think Sparda and I are talking about a machine that only acts as a server. If this is the case then all outbound traffic should be considered legitimate. This would also assume that the only outbound traffic for the machine would be response traffic to client requests (I know this not always the case because there are sometimes maintenance processes that access the network on servers but those are negligible).

you could then have a seperate table to lan connections which was more lax.

I am not 100% sure what you mean by "more lax" but it really don't like that idea. Yes, there may be certain services that you only open to your LAN (or other specified systems or subnets) but it should not be considered more "lax".

Ben

Link to comment
Share on other sites

beastmasta, how do you connect to the internet, describe the physical connection.

Example: My computer is connected to a switch, which is intern connected to another switch, which is intern connected to a NAT router, which intern connects to the phone line.

Link to comment
Share on other sites

  • 1 month later...
beastmasta, how do you connect to the internet, describe the physical connection.

Example: My computer is connected to a switch, which is intern connected to another switch, which is intern connected to a NAT router, which intern connects to the phone line.

My computer is connected to a modem, directly.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...