LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables config - more secure than router's not configurable firewall (http://www.linuxquestions.org/questions/linux-security-4/iptables-config-more-secure-than-routers-not-configurable-firewall-876097/)

Mr. Alex 04-20-2011 07:16 AM

iptables config - more secure than router's not configurable firewall
 
Hi everybody!
There are routers with firewalls which you cannot configure - you just use those routers and get some protection from Internet attacks. Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?

Noway2 04-20-2011 08:31 AM

It is difficult to say whether or not you can get "better" protection without defining what "better" means. In terms of more secure, one would need to look at the weaknesses of these products. For example, do the products contain known exploits that would let a would be cracker gain access to the LAN side of the network?

Speaking in terms of generalities, I think it is possible to get a more or at least as feature rich solution using IPtables with Linux than you can with most physical routers. I also think that, properly configured, such a solution would be at least as secure as these products.

I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network to use in combination with IPTables on the servers. The overwhelming response I received was to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.

sibe 04-20-2011 02:54 PM

Quote:

Originally Posted by Noway2 (Post 4330502)
... to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.

Agree.

ClearOS and other similar products like Endian Firewall or Untangle have strong advantages over a plain iptables-based-firewall due to their features and manageability; from an ordinary rule based filtering to a sophisticated content filter capability, they have it all in one software package with a nice web interface to configure everything.

As pfSense came from the other world of [Open]BSD PF, this product has a slightly different implementation of its filtering technique (if you even bother to look at it under the hood), but its main attraction, IMO, is the option to have a HA, active-passive failover mode firewall using excellent CARP and pfSync to replicate its stateful filtering rules.

salasi 04-21-2011 06:13 AM

Quote:

Originally Posted by Mr. Alex (Post 4330438)
There are routers with firewalls which you cannot configure...

Well, probably the most common thing is to have some kind of firewall that you can configure (somewhat), but which doesn't offer you the options that you want...

Quote:

Originally Posted by Mr. Alex (Post 4330438)
....Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?

@Noway2
Quote:

I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network...go with either pfSense or ClearOS as I would get better performance and more features at a much lower price
An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?

In any case, you can get 'router distros' that are intended to run on ordinary, consumer, router boxes (see, eg tomato, dd-wrt here) with their linited resources. The beauty of something like this is that, once having installed your linux-oid OS on your router box, you can run the OS's firewall, which gives you as many features as you could ever want. Or, at least, have the processing power to deploy succesfully.

Noway2 04-21-2011 07:58 AM

Quote:

An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?
The going retail price on the asa5505 is about $350 (USD) for upto 10 simultaneous VPN connections and about $489 for upto 50, which isn't cheap, but isn't terrible.

I am honestly more than a little bit torn between using a dedicated device and a Linux system as a firewall. On one hand, I already have two servers, a cable modem, and a Catalyst switch and I am not certain if I want to bother with maintaining a 3rd Linux system. DD-WRT and Tomato would be good options, but I consider the residential grade hardware that you normally start with to be the limiting factor.

I had OpenVPN setup up on one system and overall it works pretty well. My biggest complaint with it is that it uses what it calls pseudo DHCP in that it pulls from a list that you specify in the configuration file. Consequently, if you use dynamic-dns+dhcp, it doesn't register with the DNS and you can't do lookups by host name. I managed to get around this by creating the TAP device upon boot up, before the DHCP server which allows the DHCP to bind to and listen on the interface, but this causes OpenVPN to not work 100%, especially with Windows clients. While it may be possible to get it to work with more tinkering, I spent months getting that working and final "had enough.". I am thinking that by going the ASA route, this may be simpler and I could use the Cisco VPN client.

One trick, or method, that I picked up watching a youtube video on the ASA5505 is that one creates two vlan's on the switch port and defines ACL rules to work between the two vlans. The same thing could be done on the WRT, but I think this would imply having NAT between the vlans.


All times are GMT -5. The time now is 12:05 AM.