Hi,

Can anyone tell me what's the best firewall utililty to setup a firewall?. Is ipchain the best? or are there others out there that are better?.

I need the firewall to block out all ports except the standard public ports. Suggestions????

Regards

1)

for kernel 2.2.X you'll be using IPchains

for kernel 2.4.x you'll be using IPtables unless you are one of those weirdos who still use IPchains in 2.4.x

2)

get a competent admin to look at your rules once you've written them to make sure you've set everything up right.

-davidu

Kernel 2.2 uses ipchains, kernel 2.4 uses iptables or ipchains. Every other firewall builder out there uses iptables or ipchains to actually build the rules, they are just frontends to iptables or ipchains.

Originally posted by priyadi
Every other firewall builder out there uses iptables or ipchains to actually build the rules, they are just frontends to iptables or ipchains.

I am pretty sure that statement is incorrect, AFAIK Checkpoint, PIX, and Netscreen -- just to name 3 -- do not use IPChains or IPTables to create their firewall rulesets, as they all use proprietary programs.

You're both wrong. No frontend use IPchains or IPtables to build rules. They build the rules themselves and use IPchains or IPtables to enforce the security by reading the rules. Beside frontends there are plenty of good example IPchains and IPtables config files out there to use as a template.

I've used Checkpoint on Solaris but not sure if Checkpoint, PIX, or Netscreen exist for Linux. Checkpoint is the market leader and generally considered being the "best" firewall out there.

Anyway the price for the best answer goes to DavidU for the line "get a competent admin to look at your rules once you've written them to make sure you've set everything up right".

I've used Checkpoint almost exclusively, and even their Linux install works great. I am not on the up and up regarding IPTables or IPChains, but Checkpoint enables SPI (Stateful Packet Inspection) and has a very nice administration tool that verifies the rules before compiling/installing them.

I am actually interested in using IPtables/chains for my 'lesser' servers (free = much cheaper!), do they support SPI? Is there a good place to really read up on them? I've done very basic things like closing access to ports, but I'm more interested in other features that may be possible like forwarding, NAT and Static NAT, etc. Any clues?

i'd run your server through nessus's scan. Its a nice program to scan your host to see if there are any holes you need to fix.

DizixCom: IPTables does all that and then some.

Read all about it here: http://www.iptables.org/

Excellent, thank you.

Originally posted by madsere
You're both wrong. No frontend use IPchains or IPtables to build rules. They build the rules themselves and use IPchains or IPtables to enforce the security by reading the rules. Beside frontends there are plenty of good example IPchains and IPtables config files out there to use as a template.

I've used Checkpoint on Solaris but not sure if Checkpoint, PIX, or Netscreen exist for Linux. Checkpoint is the market leader and generally considered being the "best" firewall out there.


I double checked and neither PIX or Netscreen use IPTables or IPChains, they are appliances, and run their own software. I am still not sure about Checkpoint, but I would imagine it doesn't use IPTables/Chains since it has to install on multiple platforms, many of which do not support IPTables/Chains (Solaris, for example, uses IPFilter to perform the same functionality as IPT and IPC).

I find the title of the thread misleading anyway -- since there's no tool alone that will do it. However, that's not to say that certain tools don't help. I just hope it's clear that it's one of many steps. Iptables and/or Ipchains are fine tools, nothing wrong with them, I personally see no improvement or reason to use anything else, no matter what program uses them or not. I suppose some might have a mre intuitive interface, but the commands are pretty simple, and there's surely interface GUI's out there, or they'd be easy for a lot of people to create if there isn't. My vote for "best tool to secure a server" is "Knowledge", so I'd have to say "Your brain". :-)

I totally agree with Tim.. I would say the best tool is the Server Admin's knowledge. As mentioned above I would definitely use IPChains / IPTables to aid in this process.