Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Linux Firewalls
Top Forums UNIX for Advanced & Expert Users Linux Firewalls Post 7220 by LivinFree on Friday 21st of September 2001 12:43:57 AM
Old 09-21-2001
Well, I do have to say, if it ain't broken, why fix it? But if you really want to switch away from OpenBSD, I agree with staying away from Raptor. I personally would stay away from Checkpoint as well. I haven't seen many problems with the Cisco Pix systems, and a few of our firewalls at work are in fact Pix.

If you really want to check out Linux firewalling, see here:
http://www.linuxsecurity.com/feature...netfilter.html
It gives some good information on iptables (the newest and greatest from the 2.4.* kernel). Iptables give you many many new abilities over previous incarnations in Linux firewalling.

You can spoof your true operating system and version, a move in the direction of stateful packet filtering, and more! If you decide to go the way of Linux, I think you'll do fine, provided you study up and do some testing before placing it in production.
 

5 More Discussions You Might Find Interesting

1. IP Networking

Halted Firewalls by Mike Murray

Secure packet filtering on high-bandwidths fw/rtr for large business tasks. Has anyone tried this concept on openbsd? The article is posted at www.sysadminmag.com on page 27. January 2002 issue. I believe Mike has hit upon something that can be applied in the field today and prevent fw... (0 Replies)
Discussion started by: dpatel
0 Replies

2. Cybersecurity

firewalls and proxys

what can I use to find out whether a computer has a firewall or proxy??? What can I use do erase it? (5 Replies)
Discussion started by: Phatress
5 Replies

3. UNIX for Dummies Questions & Answers

Firewalls and other security measures...

One day, while using my PC with Windows XP, my router just stopped working. So, for the ability to connect to the web at that moment, I connected directly to the cable modem without my router. I noticed immediately that people were trying to hack into my computer because my personal firewall would... (2 Replies)
Discussion started by: Minnesota Red
2 Replies

4. UNIX for Advanced & Expert Users

Firewalls

Hi, I was doing abit of reading on firewalls when this question came up. Is there any command which sets up a firewall that will only allow packets through if they come from a port number less than 1024? How about a command which allows packets through if they are destined for a port... (3 Replies)
Discussion started by: sleepster
3 Replies

5. Cybersecurity

Firewalls and cryptography

As we know, firewall is designed to keep unauthorized outsiders from tampering with a computer system or network. We don't talk about computer security without cryptography. In this case, may I know,How does cryptographic protection (at the TCP/IP layers or at the application layer) affect a... (1 Reply)
Discussion started by: heroine
1 Replies

LEARN ABOUT DEBIAN

conntrackd

CONNTRACKD(8)															     CONNTRACKD(8)

NAME

       conntrackd - netfilter connection tracking user-space daemon

SYNOPSIS

       conntrackd [options]

DESCRIPTION

       conntrackd  is  the  user-space	daemon	for  the netfilter connection tracking system. This daemon synchronizes connection tracking states
       between several replica firewalls. Thus, conntrackd can be used to deploy highly available stateful firewalls. The daemon supports Primary-
       Backup and Multiprimary setups. The daemon can also be used as statistics collector.

OPTIONS

       The options recognized by conntrackd can be divided into several different groups.

   MODES
       These options specify the particular operation mode in which conntrackd runs. Only one of them can be specified at any given time.

       -d     Run conntrackd in daemon mode.

   CLIENT COMMANDS
       conntrackd can be used in client mode to request several information and operations to a running daemon

       -i [ct|expect]"
	      Dump the internal cache, i.e. show local states

       -e [ct|expect]"
	      Dump the external cache, i.e. show foreign states

       -x     Display output in XML format. This option is only valid in combination with "-i" and "-e" parameters.

       -f [|internal|external]
	      Flush the internal and/or external cache

       -F [ct|expect]
	      Flush the kernel conntrack table (if you use a Linux kernel >= 2.6.29, this option will not flush your internal and external cache).

       -c     Commit external cache to conntrack table.

       -B     Force  a	bulk send to other replica firewalls. With this command, you will ask conntrackd to send the state-entries that it owns to
	      others.

       -n     Request resync with other node (only FT-FW and NOTRACK modes).

       -k     Kill the daemon

       -s [|network|cache|runtime|link|rsqueue|process|queue|ct|expect]
	      Dump statistics. If no parameter is passed, it displays the general statistics.  If "network" is passed as parameter it displays the
	      networking statistics.  If "cache" is passed as parameter, it shows the extended cache statistics.  If "runtime" is passed as param-
	      eter, it shows the run-time statistics.  If "process" is passed as parameter, it	shows  existing  child	processes  (if	any).	If
	      "queue"  is  passed as parameter, it shows queue statistics.  If "ct" is passed, it displays the general statistics.  If "expect" is
	      passed as parameter, it shows expectation statistics.

       -R [ct|expect]
	      Force a resync against the kernel connection tracking table

       -t     Reset the in-kernel timers (See PurgeTimeout clause)

       -v     Display version information.

       -h     Display help information.

       -C config file
	      Configuration file path.

       DIAGNOSTICS
	      The exit code is 0 for correct function. Errors cause an exit code of 1.

EXAMPLES

       The following example are illustrative, for a real use in a firewall fail-over, check the primary-backup.sh  script  that  comes  with  the
       sources.

       conntrackd -d
	      Runs conntrackd in daemon and synchronization mode

       conntrackd -i
	      Dumps the states held in the internal cache, i.e. those handled by this firewall

       conntrackd -e
	      Dumps the states held in the external cache, i.e. those handled by other replica firewalls

       conntrackd -c
	      Commits  the external cache into the kernel connection tracking system. This is used to inject the state so that the connections can
	      be recovered during the failover.

DEPENDENCIES

       This daemon requires a Linux kernel version >= 2.6.18. TCP window tracking support requires >= 2.6.22, otherwise you have  to  disable  it.
       Helpers	are  fully  supported  since  >= 2.6.25, however, if you use any previous version, depending on the protocol helper and your setup
       (e.g. if you setup performs NAT sequence adjustments or not), your help connection may be successfully recovered.

       There are several unsupported stateful iptables matches such as recent, connbytes and the quota matches which gather  internal  information
       to  operate.  Since that information does not belong to the domain of the connection tracking system, connections affected by those matches
       may not be fully recovered during the takeover.

       The daemon requires a Linux kernel version >= 2.6.26 to support kernel-space event filtering. Otherwise, all the event filtering is done in
       userspace with the corresponding extra overhead. If you are not using the Filter clause in the configuration file, ignore this notice.

INCOMPATIBILITIES

       During the 0.9.9 development, some important changes in the replication message format were introduced. Therefore, conntrackd >= 0.9.9 will
       not work appropriately with conntrackd <= 0.9.8. This should not be a problem if you use the same conntrackd version in	all  the  firewall
       replica nodes.

SEE ALSO

       conntrack(8),iptables(8)
       See http://conntrack-tools.netfilter.org

BUGS

       Please, report them to netfilter-devel@vger.kernel.org or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).

AUTHORS

       Pablo Neira Ayuso wrote and maintains the conntrackd tool

       Please send bug reports to <netfilter-devel@lists.netfilter.org>. Subscription is required.

       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.

								   Oct 21, 2008 						     CONNTRACKD(8)
All times are GMT -4. The time now is 09:03 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy