[WBEL-users] Iptables Vs Cisco Pix 525

[Bill Davidsen]

Simone wrote:
> Hi list,
> my company just bought a couple cisco pix 525 firewall. Now they are 
> opening a new office, and at the moment buying another one is not an 
> option. So I am going to set up a firewall using iptables on a wbel box, 
> and I was wondering if there's really a big difference in security 
> between the two different solutions.
> Know there must be a difference, just would like to understand if having 
> iptables is a much worse solution.

iptables is as good as you make it. Since people, including Cisco, are 
selling commercial firewall boxes based on iptables I think you can 
assume it is secure if you configure it to be.

Some hints:
- configure your INPUT policy DROP
- make your *first* INPUT rule
     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   to avoid excess rule checking
- set rules for INPUT using a table for each NIC
- if rules for OUTPUT are complex use a table for that,
   just a policy of ACCEPT may be adequate if you block INPUT correctly
- don't forget to enable syn-cookies and forwarding
- I suggest SNAT all outgoing connections to avoid exposing addresses
   if you have more than one.
- check your NIC settings with mii-tool or ethtool
- unless you *must* forward, drop netbios port packets, Windows drools
   information you don't want to share.
- ident service must work or DENY, if you DROP it will slow outgoing
   mail to many machines waiting for a timeout.

Note that this is not a complete list, just some things I find helpful.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me