[TCLUG] To firewall or not to firewall...

Sat Nov 18 17:42:56 CST 2000

On Fri, Nov 17, 2000 at 06:10:15PM -0600, Jason DeStefano wrote:
> I got DSL from USWaste 2 years ago and within 3 months my redhat
> 5.2 server was hacked into (via buggy NFS) due to no firewall. I used
> ipfwadm for another year and that worked fine (no need to firewall windows
> services cause you cant do anything). I have my own subnet so NAT and
> proxy provided solutions I didnt want to use. I didnt want to use a 10-net
> and I didnt want to rely on the limitation of the 675 to try to make
> something work. I eventually took a seperate linux box (a p133) and
> wrote my own firewall program that is completely passive on the network.
> It basically works like a 2-port switch that can filter out packets. It
> sits between the router and my hub and neither device knows the firewall
> is there because its transparent. I also added packet queueing and
> prioritization (why stop at just firewalling). Now if someone FTP's a
> file and sucks up my bandwidth and I do a ping I get 700+ms but my
> counterstrike packets move along at <100ms (unaffected). As I need
> more features (like more complex firewalling rules) I just add the features.
> I've been using it for about 6 months now and it works great. And its
> 100% secure. Neither NIC has a MAC address or IP address so there
> is absolutely no way for the firewall to get hacked into. Still a few quirks
> to hammer out when I get time, but nothing too serious.
> 
You didn't have to write this yourself.  It sounds to me like an ethernet
bridge.  Can be done easily in OpenBSD by setting up the bridge0 device and
putting your filtering rules in /etc/ipf.rules.  It's one of the coolest
capabilities I've seen in OpenBSD.  Hopefully, something similar will be
implemented in the 2.4 Linux kernel.  Anyone know if Linux is already
capable of bridging like this?

Gabe

-- 
--------------------------------------------------------------------------------
Gabe Turner				       |  	   X-President,
UNIX Systems Administrator,		       | Assoc. for Computing Machinery
U of M Supercomputing Institute for	       |    University of Minnesohta
Digital Simulation and Advanced Computation    |       dopp at acm.cs.umn.edu

"Ooo-eeee-Ooooo, Killer Tofu!"	- The Beats "Killer Tofu"
--------------------------------------------------------------------------------