RE: proxy-packet filter

From: Matt Bruce (matt.bruceat_private)
Date: Wed Feb 23 2000 - 21:22:45 PST

Next message: Justin Backman: "Voice over IP and security"

Previous message: fgbat_private: "Re: Linux Proxy Server ?"
Maybe in reply to: Prasanna.H.S: "proxy-packet filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, technically, having both _still_ won't make it a firewall, but that's
a bit of a religious argument. :)

I'll use the common example of Squid and ipfwadm/ipchains. They're both free
and come with just about every Linux distribution CD you can find.

Squid uses Access Control Lists (ACLs) to control who can do what, based
upon IP address/subnet, but it is generally intended for limiting HTTP[S]
traffic for outbound browsing. At least, that's all I've ever seen it used
for.

ipchains (formerly ipfwadm) uses rules to control which
IPs/subnets/ports/interfaces can send/receive packets. Things like the
traditional firewall Anti-Spoof Rule, rules covering whether specific
TCP/UDP/ICMP traffic can come in or go out, and the Default Rule can all be
set up with ipchains and administered via console/telnet/ssh. If you have a
24x7 connection to the Internet, you can append the ipchains script to your
network script; but if you have a periodic dialup connection, you can add
the script to your PPP dialup script.

As they're free and are designed to do specific tasks, I can't really see
why you wouldn't implement both. Couple this with sendmail relaying and you
have a great low-cost "packet filtering Internet gateway" (commonly known as
a "Linux firewall"). Just remember that you get what you pay for, so "great"
is a relative term.

While I do these sorts of things for my employer, I completely rebuilt and
customised a RedHat 6.1 Linux box with Squid and ipchains last night for my
home LAN in just under 3 hours. Who says low-end Pentiums were obsolete? :)

HTH,

Matt Bruce     <matt.bruceat_private>
Security & Internet Engineer
AlphaWest - http://www.alphawest.com.au/
"Illegitimus non carborundum est." :)


>-----Original Message-----
>From: Prasanna.H.S [mailto:prassiat_private]
>Sent: Wednesday, 23 February 2000 1:10 am
>
>I currently designing a firewall in Linux.Is it necessary
>for me to have both proxy as well as packet filter .Can y proxy
>do the job of packet filtering as well.

Next message: Justin Backman: "Voice over IP and security"
Previous message: fgbat_private: "Re: Linux Proxy Server ?"
Maybe in reply to: Prasanna.H.S: "proxy-packet filter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:01 PDT