Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Linux as a serious firewall
From: Bennett Todd <bet @ mordor . net>
Date: Wed, 15 Apr 1998 14:07:18 -0400
To: Steve Pearse <steve @ gas . co . uk>
Cc: firewalls @ greatcircle . com
In-reply-to: <3E60782BD6C5D111ADD100805F8B824E81C1 @ staines-ex01 . trading . centrica . com>; from Steve Pearse on Wed, Apr 15, 1998 at 01:14:58PM +0100
References: <3E60782BD6C5D111ADD100805F8B824E81C1 @ staines-ex01 . trading . centrica . com>

1998-04-15-13:14:58 Steve Pearse:
> What do the panel think of Linux, would you seriously use it as a
> firewall in a commercial environment ?

I think it's one of the best OSes out there today, and I'd certainly consider
it for use on a firewall.

No matter what you use, you'll strip it --- at least disabling nearly all the
daemons, if not actually deleting them off the disk, and double-checking work
with tools like strobe and nmap, as well as netstat -a. That cuts down the
open issues in host choice a great deal; what's left is how solid and
well-maintained is the IP stack, how well does the machine perform and stay
up, etc. I rate Linux quite good on all of the above.

I kinda suspect I'd be tempted to use OpenBSD instead, only because it seems
to be maybe a bit tighter, and the development team has a big focus on
security in particular. But it's a close call, and if I wanted to use hardware
that OpenBSD didn't support for whatever reason I'd happily use Linux for the

The tougher question, and the one that more clearly defines what kind of
firewall you're going to end up with, is what do you use atop the OS? Linux
has ipfw and the BSDs have ipfilter, so the per-interface packet filtering is
there either way. But for almost any interesting application you're gonna want
some daemons.

First I'd set up ssh, and strip off everything else.

Then I'd grab and configure the very latest bind. I'm enjoying using bind 8,
and the bind development people do seem to recommend it for new installations,
but whether you go for a bind 4 or a bind 8 make sure it's new enough to have
the latest batch of bugs fixed, there was a pretty scary CERT on it just
recently. In fact, given that CERT, I might be tempted to stick it on a
separate box in the DMZ....

For email I'd use qmail, it's fast, stunningly secure, and reasonably hostile
to relaying spammers. Maybe in a year I'd use VMailer....

For http the only choice I know is http-gw from the TIS fwtk. Anything else
out there strip applets?


Indexed By Date Previous: Re: ANS Firewall
From: Paul Sangster <sangster @ reston . ans . net>
Next: TFTP with Raptor
From: Rick_McMaster @ freddiemac . com (McMaster, Rick)
Indexed By Thread Previous: Re: Linux as a serious firewall
From: "Alex A. Smirnoff" <ark @ convey . ru>
Next: Re: Linux as a serious firewall
From: Bernd Eckenfels <lists @ lina . inka . de>

Search Internet Search