[WBEL-users] Iptables Vs Cisco Pix 525
Bill Davidsen
davidsen@tmr.com
Fri, 21 May 2004 11:58:23 -0400
Simone wrote:
> Hi list,
> my company just bought a couple cisco pix 525 firewall. Now they are
> opening a new office, and at the moment buying another one is not an
> option. So I am going to set up a firewall using iptables on a wbel box,
> and I was wondering if there's really a big difference in security
> between the two different solutions.
> Know there must be a difference, just would like to understand if having
> iptables is a much worse solution.
iptables is as good as you make it. Since people, including Cisco, are
selling commercial firewall boxes based on iptables I think you can
assume it is secure if you configure it to be.
Some hints:
- configure your INPUT policy DROP
- make your *first* INPUT rule
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
to avoid excess rule checking
- set rules for INPUT using a table for each NIC
- if rules for OUTPUT are complex use a table for that,
just a policy of ACCEPT may be adequate if you block INPUT correctly
- don't forget to enable syn-cookies and forwarding
- I suggest SNAT all outgoing connections to avoid exposing addresses
if you have more than one.
- check your NIC settings with mii-tool or ethtool
- unless you *must* forward, drop netbios port packets, Windows drools
information you don't want to share.
- ident service must work or DENY, if you DROP it will slow outgoing
mail to many machines waiting for a timeout.
Note that this is not a complete list, just some things I find helpful.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me