beastmasta Posted May 9, 2006 Share Posted May 9, 2006 Hey, i am going to host a linux server for CS. Is there any firewalls made mainly for a linux server, or do you even need one? :? Quote Link to comment Share on other sites More sharing options...
VaKo Posted May 9, 2006 Share Posted May 9, 2006 monowall? Although that might be a stand alone system, i'm not to sure. Pretty damn sure Linux needs a firewall though. Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 9, 2006 Share Posted May 9, 2006 Monowall is a stand alone system based on FreeBSD. It depends if you are running any other servers on the system that you don't wish to be be publicly accessible. You might not need one because on a server you generally know exactly what's running and usually the stuff you run is there to provide service to people. If you have something you want to only be accessible from your own network you might want something (I use FreeBSD so I don't know what firewalls are typically used on Linux specifically, but ipf is avilable for Linux). You don't want a personal firewall like on Windows though when you are running a server, you will just want a firewall running with some static rules you have written. Quote Link to comment Share on other sites More sharing options...
ben Posted May 9, 2006 Share Posted May 9, 2006 iptables is probably the firewall you'll want to use if it's running on the same computer as the server. It's pretty easy to set up and the rules are fairly straight forward. A quick Google search will give you some good results but just ask if you've got any specific questions. Ben Quote Link to comment Share on other sites More sharing options...
Sparda Posted May 9, 2006 Share Posted May 9, 2006 no one seems to have asked this yet, so i will: "Do you actualy need a firewall?" I have a FreeBSD server and that doesn't have a firewall. It is running lots of stuff but it's behind a hardware firewall, as such a software firewall would be of little use. Quote Link to comment Share on other sites More sharing options...
Technologique Posted May 9, 2006 Share Posted May 9, 2006 no one seems to have asked this yet, so i will: "Do you actualy need a firewall?"I have a FreeBSD server and that doesn't have a firewall. It is running lots of stuff but it's behind a hardware firewall, as such a software firewall would be of little use. Explain please, you say you have no firewall, yet you have a hardware firewall. Do you mean that FreeBSD has its own firewall built in (prehaps a better quality one than the one built into XP *shudders*), or do you mean that you have a seperate firewall, that your server runs through, thus eliminating the need for a software firewall...? Quote Link to comment Share on other sites More sharing options...
Sparda Posted May 9, 2006 Share Posted May 9, 2006 No, I mean my Internet connection is hardware firewall'ed. There is a highly remote chance that uncilisited trafic could get though on any port except 80. As such a software firewall is fairly usless on my server. My point is if you only want specific ports open to the Internet and your server is behind a hardware firewall, a software firewall is prety reduntant. Unless its on a big network with unmonitored computer use, but then for the sake of ease you might give it it's own hardware firewall. Although in that instance a software firewall would be more cost effective. Quote Link to comment Share on other sites More sharing options...
jalada Posted May 10, 2006 Share Posted May 10, 2006 If you're already on a network that is firewalled you'll probably get away with it. If you're putting it on some form of DMZ well...If you just turn off all the services that you don't need then you should be OK (a few nmap scans should help you here). Otherwise, iptables FTW. If, like me, you hate the iptables commands, use a configuration script. I use one called FireHOL, but that's for my Gentoo Linux Firewall box, and I think that's what it was made to make (ie. routing, not as a static box). There are others as well that I have forgotten, a google search for iptables generator or something should find you some. Quote Link to comment Share on other sites More sharing options...
metatron Posted May 10, 2006 Share Posted May 10, 2006 I just got a Cisco PIX 525 Firewall and it’s brilliant and would recommend any Cisco Firewall as I have been using them for years. I don’t use software firewalls on any of my servers or Linux desktops as it world be a waste of system resources and I only put them on laptops. If you have a old box laying around you can make your own firewall if you don’t want to shell out the cash for a Cisco or other manufacturers firewall using Smooth Wall or IP Cop. Quote Link to comment Share on other sites More sharing options...
cooper Posted May 10, 2006 Share Posted May 10, 2006 I don't run any services that shouldn't be publically accessible on the machines that provide me with internet connectivity. Since the big idea behind a firewall would be to either log access attempts (meh. Like I care someone portscans my machine) or to prevent access to services I shouldn't be running on that box in the first place. One idea might be to use the IDS Snort which will block traffic that is known to contain exploiting data, but that basically means I've implemented a workaround to actually fixing the software that is now known to be broken. I really don't see the added advantage, in my home network, for a firewall, but I'm open to suggestions. Quote Link to comment Share on other sites More sharing options...
ben Posted May 10, 2006 Share Posted May 10, 2006 it's behind a hardware firewall, as such a software firewall would be of little use. How much control do you have over that hardware firewall?? If you are the owner, and it's a high end firewall (not just a NAT router), you may have no use for a software firewall. However, I have a couple of firewall rules that prevent fragmented packets and syn only packets from hitting my server applications. I can't do this with a my NAT router so it is a little suspenders for me. I don't run any services that shouldn't be publically accessible on the machines that provide me with internet connectivity. Since the big idea behind a firewall would be to either log access attempts (meh. Like I care someone portscans my machine) or to prevent access to services I shouldn't be running on that box in the first place. Not necessarily true. As stated above, I run many services that I want and use my firewall mainly for logging and added protection. One idea might be to use the IDS Snort which will block traffic that is known to contain exploiting data, but that basically means I've implemented a workaround to actually fixing the software that is now known to be broken. If you're running Snort in IPS mode (which you'd need to do to block traffic) you're basically running a firewall. Ben Quote Link to comment Share on other sites More sharing options...
stingwray Posted May 10, 2006 Share Posted May 10, 2006 The simple reason for running a firewall on your computer or server as well as a hardware firewall is that the hardware firewall is very good at stopping incoming connections or preventing connections on certain ports or from certain machines. However what a software firewall on the computer will do is be able to stop individual programs from accessing the network. For example you could have a hardware firewall only and you computer could be infected with a trojan and the hardware firewall wouldn't stop the connections, however most software firewalls would be able to detect it and stop it. Quote Link to comment Share on other sites More sharing options...
Sparda Posted May 10, 2006 Share Posted May 10, 2006 We are talking about a server, outbound control is usfull for desktop computers, but not ealy usfull for servers. Quote Link to comment Share on other sites More sharing options...
stingwray Posted May 10, 2006 Share Posted May 10, 2006 Its like running certain processes as limited accounts, you only permit traffic from say Apache and Postifx and nothing else out on to the WAN, you could then have a seperate table to lan connections which was more lax. Quote Link to comment Share on other sites More sharing options...
ben Posted May 10, 2006 Share Posted May 10, 2006 Its like running certain processes as limited accounts Huh?? I'm not sure what running a firewall has to do with account authorization. Could you please explain more?? you only permit traffic from say Apache and Postifx and nothing else out on to the WAN I think Sparda and I are talking about a machine that only acts as a server. If this is the case then all outbound traffic should be considered legitimate. This would also assume that the only outbound traffic for the machine would be response traffic to client requests (I know this not always the case because there are sometimes maintenance processes that access the network on servers but those are negligible). you could then have a seperate table to lan connections which was more lax. I am not 100% sure what you mean by "more lax" but it really don't like that idea. Yes, there may be certain services that you only open to your LAN (or other specified systems or subnets) but it should not be considered more "lax". Ben Quote Link to comment Share on other sites More sharing options...
georgia_tech_swagger Posted May 11, 2006 Share Posted May 11, 2006 iptables, especially if you find trickeration like NAT of use. Shorewall is pretty good as well. Quote Link to comment Share on other sites More sharing options...
beastmasta Posted May 11, 2006 Author Share Posted May 11, 2006 Is there any easy to use firewall, like nortorn, or treand micro? P.S. I dont have a hardware fire wall. Quote Link to comment Share on other sites More sharing options...
georgia_tech_swagger Posted May 11, 2006 Share Posted May 11, 2006 Is there any easy to use firewall, like nortorn, or treand micro?P.S. I dont have a hardware fire wall. OpenSuSe installs a firewall by default and provides a nice easy GUI to use to tweak it through YaST. I'm sure other newb distros such as Ubuntu and Fedora do similar things. Quote Link to comment Share on other sites More sharing options...
Sparda Posted May 11, 2006 Share Posted May 11, 2006 beastmasta, how do you connect to the internet, describe the physical connection. Example: My computer is connected to a switch, which is intern connected to another switch, which is intern connected to a NAT router, which intern connects to the phone line. Quote Link to comment Share on other sites More sharing options...
beastmasta Posted June 13, 2006 Author Share Posted June 13, 2006 beastmasta, how do you connect to the internet, describe the physical connection.Example: My computer is connected to a switch, which is intern connected to another switch, which is intern connected to a NAT router, which intern connects to the phone line. My computer is connected to a modem, directly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.