Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Linux Firewalls
Top Forums UNIX for Advanced & Expert Users Linux Firewalls Post 7766 by loadc on Monday 1st of October 2001 10:54:46 PM
Old 10-01-2001
Just a note...
If you have some time, ANtiOnline put out an article the other day,

PIX has an issue with SMTP traffic, it will allow trafiic through and may allow for compromise on mis-configured or older SMTP setups. There is no workaround nor any fix, Cisco is suggesting using another way of securing your smtp server.

Sorry for what seems like a bit of a dig, it's not meant as such,
I agree with the previous poster, if it ain't broke, don;t fix it, but if you really want to change, keep in mind:
Linux ( as of ipchains, not sure with iptables) is a fast firewall, it reads from teh bottom up on the rules file and the first match counts. This makes for fast processing.

BSD, uses berkeley packet filter and reads from the top down with a last match counts ideal. this is slower, but it is much more thorough. that packet will pass through every rule applicable to itself and see what matches and what doesn't. the read is also from the top down, this is a much more understandable format to write rules in (for most, anyway).
It somes to what you want to be saddled with, and which one can you config better/recover faster? Assuming this is your firewall, I am also assuming that you'll want to run SNort or something equally useful inside. A firewall is only a barrier, an IDS is a tool.



Now, if I could go religious on you for a minute...

I've heard from many of the Linux advocates that I work with that "standardizing on one operating system is EXACTLY what is wrong with the Windows approach, that is why they champion Open Source and Linux. Why then, does EVERY ONE of them want EVERYONE to run EVERYTHING on Linux?!?! Isn't that really the same crap in a different pile? I'm not down on Linux, and I don't hate Microsoft, they have done some things I think are fine, but I really think that some of the zealots I work with (I'm not inclusive, I'm only ranting about the ones I know) ought ot take a look at what they are saying and compare it to the Microsoft literature. They might be surprised at how alike they sound in some respects.



I'll get down now,


loadc
 

5 More Discussions You Might Find Interesting

1. IP Networking

Halted Firewalls by Mike Murray

Secure packet filtering on high-bandwidths fw/rtr for large business tasks. Has anyone tried this concept on openbsd? The article is posted at www.sysadminmag.com on page 27. January 2002 issue. I believe Mike has hit upon something that can be applied in the field today and prevent fw... (0 Replies)
Discussion started by: dpatel
0 Replies

2. Cybersecurity

firewalls and proxys

what can I use to find out whether a computer has a firewall or proxy??? What can I use do erase it? (5 Replies)
Discussion started by: Phatress
5 Replies

3. UNIX for Dummies Questions & Answers

Firewalls and other security measures...

One day, while using my PC with Windows XP, my router just stopped working. So, for the ability to connect to the web at that moment, I connected directly to the cable modem without my router. I noticed immediately that people were trying to hack into my computer because my personal firewall would... (2 Replies)
Discussion started by: Minnesota Red
2 Replies

4. UNIX for Advanced & Expert Users

Firewalls

Hi, I was doing abit of reading on firewalls when this question came up. Is there any command which sets up a firewall that will only allow packets through if they come from a port number less than 1024? How about a command which allows packets through if they are destined for a port... (3 Replies)
Discussion started by: sleepster
3 Replies

5. Cybersecurity

Firewalls and cryptography

As we know, firewall is designed to keep unauthorized outsiders from tampering with a computer system or network. We don't talk about computer security without cryptography. In this case, may I know,How does cryptographic protection (at the TCP/IP layers or at the application layer) affect a... (1 Reply)
Discussion started by: heroine
1 Replies

LEARN ABOUT OPENSOLARIS

tc-fw

Firewall mark classifier in tc(8)                                      Linux                                     Firewall mark classifier in tc(8)

NAME

       fw - fwmark traffic control filter

SYNOPSIS

       tc filter ... fw [ classid CLASSID ] [ action ACTION_SPEC ]

DESCRIPTION

       the fw filter allows to classify packets based on a previously set fwmark by iptables.  If it is identical to the filter's handle, the fil-
       ter matches.  iptables allows to mark single packets with the MARK target, or whole connections using CONNMARK.  The benefit of using  this
       filter  instead of doing the heavy-lifting with tc itself is that on one hand it might be convenient to keep packet filtering and classifi-
       cation in one place, possibly having to match a packet just once, and on the other users familiar with iptables but not tc will have a less
       hard time adding QoS to their setups.

OPTIONS

       classid CLASSID
              Push matching packets to the class identified by CLASSID.

       action ACTION_SPEC
              Apply an action from the generic actions framework on matching packets.

EXAMPLES

       Take e.g. the following tc filter statement:

              tc filter add ... handle 6 fw classid 1:1

       will match if the packet's fwmark value is 6.  This is a sample iptables statement marking packets coming in on eth0:

              iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6

SEE ALSO

       tc(8), iptables(8), iptables-extensions(8)

iproute2                                                            21 Oct 2015                                  Firewall mark classifier in tc(8)
All times are GMT -4. The time now is 05:44 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy