Firewalls: Re: firewalls with linux OS

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: firewalls with linux OS
From:	Stepken <stepken @ edina . xnc . com>
Organization:	F.S.S.
Date:	Fri, 17 Oct 1997 05:32:42 +0200
To:	Chris Pugrud <ChrisP @ steldyn . com>
Cc:	firewalls @ GreatCircle . COM
References:	<c=US%a=_%p=Stellar_Dynamics%l=JUNEAU-971015202519Z-539 @ juneau . steldyn . com>

Chris Pugrud wrote:
> 
> Part of your firewall planning is needing to determine what to support.
> In Windows based organizations I have found the answer to generally be
> http, ftp, and smtp (web and e-mail basically).  In this situation it is
> relatively easy to set up a simple, effective firewall using Linux,
> Apache, and Qmail.
> 
> Apache has a pretty good web/ftp proxy function built in.  The caching
> functionality doesn't seem to be very effective, but I really haven't
> played with the settings.  For added security I tend to run two apache
> daemons, one for the inside with the proxy functions built in, and one
> for the outside web server that is stripped and gutted to the bare
> essentials (the less code there is, the less that can be compromised).

Apache is quite stable. You should let it run in chroot() environment.
For security purposes I really only trust CERN-HTTPD. It's the only
one, which is bullet proof.
 
> Qmail is very fast and effective as an e-mail gateway.  I would
> recommend using an internal e-mail server, and just have Qmail relay
> mail between the world and the office.  Qmail also has a very easy setup
> to disable the relay functionality, so you can avoid being victimized by
> spammers using your server.

QMAIL still is not bullet proof, but seems to be better than sendmail.
I'd recommend a sendmail proxy (there are some free ones) and qmail
running in user-mode.
 
> If you strip and gut the Linux server appropriately you will end up with
> a very tight configuration, with only three ports open to attack (http,
> smtp, and dns).  A complete configuration with pwebstats for traffic
> analysis and reporting, apache, qmail, and all of the tools you acutely
> need on the server is less than 20 MB.  Be sure and setup a separate and
> large partition for log files.

I am not really sure about, that buffer overflows are not possible
with bind. I would suggest to be very carefull. I will test it right
now.

By the way - I've found LINUX to be very stable and save, if you invest
some time to harden the system. 
 
cu, Guido Stepken

Follow-Ups:

Re: firewalls with linux OS
From: "Mark 'segfault' Guzman" <root @ lsd . pbx . org>

References:

RE: firewalls with linux OS
From: Chris Pugrud <ChrisP @ steldyn . com>

Indexed By Date	Previous:	REMOVES From: Andy Lewis <alewis @ mpsi . net>
Indexed By Date	Next:	Re: PIX and other "Black boxes" vs normal firewalls. From: "Mark Teicher" <mark-teicher @ worldnet . att . net>
Indexed By Thread	Previous:	RE: firewalls with linux OS From: Ralf Thomas Klar <klar @ mkm . de>
Indexed By Thread	Next:	Re: firewalls with linux OS From: "Mark 'segfault' Guzman" <root @ lsd . pbx . org>