[WBEL-users] Iptables Vs Cisco Pix 525

[Toby Bluhm]

Bill Davidsen wrote:

> Simone wrote:
>
>> Hi list,
>> my company just bought a couple cisco pix 525 firewall. Now they are 
>> opening a new office, and at the moment buying another one is not an 
>> option. So I am going to set up a firewall using iptables on a wbel 
>> box, and I was wondering if there's really a big difference in 
>> security between the two different solutions.
>> Know there must be a difference, just would like to understand if 
>> having iptables is a much worse solution.
>
>
> iptables is as good as you make it. Since people, including Cisco, are 
> selling commercial firewall boxes based on iptables I think you can 
> assume it is secure if you configure it to be.
>
> Some hints:
> - configure your INPUT policy DROP
> - make your *first* INPUT rule
>     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>   to avoid excess rule checking
> - set rules for INPUT using a table for each NIC
> - if rules for OUTPUT are complex use a table for that,
>   just a policy of ACCEPT may be adequate if you block INPUT correctly
> - don't forget to enable syn-cookies and forwarding
> - I suggest SNAT all outgoing connections to avoid exposing addresses
>   if you have more than one.
> - check your NIC settings with mii-tool or ethtool
> - unless you *must* forward, drop netbios port packets, Windows drools
>   information you don't want to share.
> - ident service must work or DENY, if you DROP it will slow outgoing
>   mail to many machines waiting for a timeout.
>
> Note that this is not a complete list, just some things I find helpful.
>

You could also try a firewalling package. Iptables is complicated ( for 
me anyway ) and getting it wrong could be disastrous.
I've been using shorewall - http://www.shorewall.net/. Just a bunch of 
scripts, really, that setup your iptables. The default setup is to lock 
things up tight, you then open up access as you need.

Good luck.

-- 
Toby Bluhm