Does anyone ever tried Astaro firewall ?
I did a search but did'nt find anything about it on this forums.
raqport.com installs it on your raq for a fee.

I have some raq's that need to be protected, but i don't know what to use.
I've read several threads about, portsentry and Ipchains, but don't know what to use.
I've read portsentry opens ports to the outside world (!?) and ipchains giving FTP problems.
Are there any solid firewalls that are simple to install and will secure my servers ?

I'm no linux wiz, so it needs to save and simple.

Thanks !!

What weird rumors.

Portsentry opens ports and ipchains causes ftp problems, hanh?

I think that you probably heard wrong.

That could probably be the case, but i read these things here, and since i know *** about them it confuses me what i SHOULD install.

Besides, PortSentry is a poor bit of software -- it binds ports and makes them seem like they are open to the outside world. Also, you can easily cause PortSentry to drop IPs into IPchains and/or hosts.deny. In 1 minute, you can drop 500 IPs into PortSentry. This type of attack is not common at the moment -- but a simple perl script can due the trick. With IP spoofing and some info, I can lock out your routers from your box -- then you're hosed.

before you make me feel even dumber ;)

I have used Portsentry and I can say that it's not that bad at all.

You *could* set it up so that it opens your ports unnecessarily, but you don't need to. Even if you do, you shouldn't have anything running there, just portsentry listening. So...? No real danger. But don't do it anyway.

You *could* set it up so that it drops IPs to hosts.deny but you don't need to. And even if you do, you can list your own routers, DNS, home IP, etc. as safe so you can't lock yourself out. but anyway, just don't set it up so.

As for ipchains causing troubles with ftp... well, I'd say that's a joke. And a good one.

Of course, don't set up ipchains so that you close tcp port 21 :D

But seriously, if you have any substantial info on that ftp troubles, do tell us what's it about...

Anyway, I'd recommend:
- shut down all services you don't need
- install a good ipchains ruleset, closing all unneeded ports
- *than* look into software such as portsentry

This way, you won't be depending on it, you'll just use it for additional info and backup protection.

Apart from portsentry, I find snort more useful. Take a closer look and try it... Bare in mind that it will burden your machine somewhat, since it looks at every package of data. There are also good front ends for snort, such as demarc.

<edit> I almost forgot, logcheck is great too... </edit>

Good luck...

Ales

Thank you Ales.

Ik can't find the qoute about the FTP problem but it had to do with a specific FTP program i think (not sure).

I'll take a look at snort (if i find it forst :) ).

Sorry for not listing URLs in my previous post. Here they are:

www.snort.org
demarc.com (front-end for snort)
psionic.com (portsentry, hostsentry, logsentry)

Logcheck has been renamed to logsentry... Good that you've asked me about URLs or I would have missed this...

Ales said it pretty well. Portsentry is a great tool in my opinion. What it does is it opens ports that are regularly scanned, such as the backorfice, or common trojens. It also opens up ports to software that commonly has holes but is not regularly used. You can specify what ports to open. Then when someone comes to scan your machine, bam they are more or less locked out from using anthing. My servers have aquired a nice long list of hosts to deny over the past months. It causes no danger to your system by opening those ports.

Originally posted by Ales

As for ipchains causing troubles with ftp... well, I'd say that's a joke. And a good one.

Of course, don't set up ipchains so that you close tcp port 21 :D

But seriously, if you have any substantial info on that ftp troubles, do tell us what's it about...


FTP runs over ports 20 and 21. There are some known problems with IPTables/Netfilter and FTP. To help users avoid these problems the nice people that developed netfilter have a special module called: ftp_conntrack. If you use that module in conjunction with netfilter you should have no problem.