Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 25 Oct 2002 00:03:15 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 25 Oct 2002 00:03:15 -0400 Received: from fluent2.pyramid.net ([206.100.220.213]:62213 "EHLO fluent2.pyramid.net") by vger.kernel.org with ESMTP id ; Fri, 25 Oct 2002 00:03:14 -0400 Message-Id: <5.1.0.14.0.20021024210320.01db0750@fluent2.pyramid.net> X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 24 Oct 2002 21:09:20 -0700 To: hps@intermeta.de, linux-kernel@vger.kernel.org From: Stephen Satchell Subject: Re: One for the Security Guru's In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1777 Lines: 36 At 09:38 AM 10/24/02 +0000, Henning P. Schmiedehausen wrote: >So you should've bought a more expensive firewall that offers protocol >based forwarding instead of being a simple packet filter. > >packet filter != firewall. That's the main lie behind most of the >"Linux based" firewalls. > >Get the real thing. Checkpoint. PIX. But that's a little >more expensive than "xxx firewall based on Linux". OK, I don't advertise that I'm the "know-it-all" when it comes to security, and in the State of Nevada (USA) I'm not allowed to advertise as a "security consultant" without a special license from the Private Investigator's License Board. I have a firewall running on 2.4.18 (Red Hat 7.3/Valhalla with updates) which is (on an experimental basis) doing port-number-based forwarding to a Web server. The idea is that the Web server is *not* directly on the 'Net, but is instead behind a firewall that steers incoming traffic to it on two specific ports: 80 and 443. (Yes, I installed the slapper on the Web server.) This was done using IPTABLES. I've also been experimenting with the traffic limiting capabilities, as one co-locate provider offers discounts for guaranteed lower bandwidth utilization, so by limiting the bandwidth using IPTABLES I should be able to cut my co-lo costs to 1/3 of what they would be with "unlimited" bandwidth. I've worked with the PIX, and I don't see what I'm missing in features between the PIX and Linux/IPTABLES. I'm sure there is something. Please amplify on your comments. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/