iptables config - more secure than router's not configurable firewall
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables config - more secure than router's not configurable firewall
Hi everybody!
There are routers with firewalls which you cannot configure - you just use those routers and get some protection from Internet attacks. Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?
It is difficult to say whether or not you can get "better" protection without defining what "better" means. In terms of more secure, one would need to look at the weaknesses of these products. For example, do the products contain known exploits that would let a would be cracker gain access to the LAN side of the network?
Speaking in terms of generalities, I think it is possible to get a more or at least as feature rich solution using IPtables with Linux than you can with most physical routers. I also think that, properly configured, such a solution would be at least as secure as these products.
I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network to use in combination with IPTables on the servers. The overwhelming response I received was to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.
... to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.
Agree.
ClearOS and other similar products like Endian Firewall or Untangle have strong advantages over a plain iptables-based-firewall due to their features and manageability; from an ordinary rule based filtering to a sophisticated content filter capability, they have it all in one software package with a nice web interface to configure everything.
As pfSense came from the other world of [Open]BSD PF, this product has a slightly different implementation of its filtering technique (if you even bother to look at it under the hood), but its main attraction, IMO, is the option to have a HA, active-passive failover mode firewall using excellent CARP and pfSync to replicate its stateful filtering rules.
There are routers with firewalls which you cannot configure...
Well, probably the most common thing is to have some kind of firewall that you can configure (somewhat), but which doesn't offer you the options that you want...
Quote:
Originally Posted by Mr. Alex
....Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?
@Noway2
Quote:
I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network...go with either pfSense or ClearOS as I would get better performance and more features at a much lower price
An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?
In any case, you can get 'router distros' that are intended to run on ordinary, consumer, router boxes (see, eg tomato, dd-wrt here) with their linited resources. The beauty of something like this is that, once having installed your linux-oid OS on your router box, you can run the OS's firewall, which gives you as many features as you could ever want. Or, at least, have the processing power to deploy succesfully.
An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?
The going retail price on the asa5505 is about $350 (USD) for upto 10 simultaneous VPN connections and about $489 for upto 50, which isn't cheap, but isn't terrible.
I am honestly more than a little bit torn between using a dedicated device and a Linux system as a firewall. On one hand, I already have two servers, a cable modem, and a Catalyst switch and I am not certain if I want to bother with maintaining a 3rd Linux system. DD-WRT and Tomato would be good options, but I consider the residential grade hardware that you normally start with to be the limiting factor.
I had OpenVPN setup up on one system and overall it works pretty well. My biggest complaint with it is that it uses what it calls pseudo DHCP in that it pulls from a list that you specify in the configuration file. Consequently, if you use dynamic-dns+dhcp, it doesn't register with the DNS and you can't do lookups by host name. I managed to get around this by creating the TAP device upon boot up, before the DHCP server which allows the DHCP to bind to and listen on the interface, but this causes OpenVPN to not work 100%, especially with Windows clients. While it may be possible to get it to work with more tinkering, I spent months getting that working and final "had enough.". I am thinking that by going the ASA route, this may be simpler and I could use the Cisco VPN client.
One trick, or method, that I picked up watching a youtube video on the ASA5505 is that one creates two vlan's on the switch port and defines ACL rules to work between the two vlans. The same thing could be done on the WRT, but I think this would imply having NAT between the vlans.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.