Kurt Seifried, [email protected]
A 100+ clide presentation on securing Linux now available in HTML format for free.
Linux Firewalling and Port Behavior
I'm feeling clever today. I rebuilt my gateway server, and decided to go gung-ho when it came to firewalling - a default deny policy for input, output and forward chains. Needless to say, this breaks a lot of things. Well, it breaks basically everything, until you start putting in rules to allow packets through. Using a default deny policy in Linux is tricky because the firewall in kernel 2.2 is not stateful. (It is stateful in 2.4, but that is still in a test series and several months off from release.) With a stateful firewall you can make simple rules: "If you see an outgoing connection, let the incoming packets associated with it through." If your firewall is not stateful, you will have to create many rules to allow services to work for clients. This can be annoying if you really want to lock your firewall down. Here's what it comes down to: Creating a really tight firewall in Linux is a pain.
September 8, 1999 – And now for the last in my three part mini-series on Linux encryption; network encryption. We've covered the basics, and filesystem encryption, however these systems are absolutely no good if you log into your server via telnet, and then provide the password to mount your encrypted home directory. There are also several file encryption systems that do not lend themselves well to networking, and many file sharing methods that provide no encryption at all. Encrypting the data that moves across your network is a simple and effective answer (ok, it's probably not simple, but you get the idea).
Last updated 9/10/2001
Copyright Kurt Seifried 2001