Firewall Wizards mailing list archives
Re: Linux Firewall - Bob's Experiment
From: Bob Washburne <rcwash () concentric net>
Date: Wed, 08 Aug 2001 17:35:35 -0400
"B. Scott Harroff" wrote:
OpenBSD is my preference as well. May I add its also quite difficult (dare I say impossible) to remotely hack a firewall when its configured as an IPless bridge (see URL).
There is no address, so you can't remotely sent anything *TO* it. But packets still go through it. So you are trusting that the code is sufficiently robust not to gag on a mal-formed packet. A fairly safe assumption with OpenBSD. Also, it would have to gag only in the firewall and not in the preceding NAT which runs the same software. Possibly a good reason to run the same system? If anything gags it will be the first system. Bob Washburne
http://www.openlysecure.org/content/html/highestsec.html ----- Original Message ----- From: "Bob Washburne" <rcwash () concentric net> To: <rob.roberson () verizon com> Cc: <firewall-wizards () nfr com> Sent: Wednesday, August 08, 2001 9:04 AM Subject: Re: [fw-wiz] Linux Firewall - Bob's ExperimentLinux is usable, but my personal prefferance is http://www.openbsd.org/ which is a battle hardened unix clone. I am developing a system for my home as an experiment: -) i486 running OpenBSD as a gateway/NAT to the Internet. Everything else other than NAT stripped off the system (can't hack what ain't there). -) P166 running OpenBSD as a bridge/firewall/IDS between the NAT and the LAN (a bridge doesn't have an IP address. Can't hack what you can't see.) -) LAN running whatever with non-routable IP addresses. I am hopeing that this stratagy will go a long way in protecting my firewall from compromise. I have no illusions about what a firewal can and cannot do, but at least this one layer will be well protected :-) The next phase would be to configure the NAT is such a way that it can be burned onto CD and the hard drive removed. Very difficult to hack a read-only system... Bob Washburnei got a linux box i would like to turn into a firewall for home... ihaveit set up right now with 2 nics and just using simple maquerading. Iwouldlike to go to the next step in complexity... I was looking around sourceforge and freshmeat and saw a mind boggling number of programs.. Iamnew to firewalls, but experienced in Linux / AIX / HPUX. Any input wouldbeappretiated and welcomed.. Adam Graham _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Linux Firewall adam (Aug 07)
- Re: Linux Firewall David Amiel (Aug 07)
- Re: Linux Firewall Yang Lee (Aug 07)
- Re: Linux Firewall Don Kendrick (Aug 08)
- Re: Linux Firewall spiff (Aug 10)
- <Possible follow-ups>
- RE: Linux Firewall Smith Gary-GSMITH1 (Aug 07)
- Re: Linux Firewall ark (Aug 07)
- Re: Linux Firewall rob . roberson (Aug 07)
- Re: Linux Firewall - Bob's Experiment Bob Washburne (Aug 08)
- Re: Linux Firewall - Bob's Experiment B. Scott Harroff (Aug 10)
- Re: Linux Firewall - Bob's Experiment Bob Washburne (Aug 10)
- Re: Linux Firewall - Bob's Experiment Bob Washburne (Aug 08)
- RE: Linux Firewall Gerry Brennan (Aug 10)
- RE: Linux Firewall Carl Friedberg (Aug 07)