Netfilter/IPtables Trade off!
Hi all,
Anybody can tell me about any trade off and limitations of iptables being used as firewall? For example it's not expected from it to provide authentication at transport layer so it can not be considered as its limitations! Any security that a firewall at this layer suppose to provide but iptables doesn't! Any particular limitations within its chains and rules which give a way to attackers to get into our network? I appreciate any Info. or hints or clear resource... Thanks in advance, |
This is the homesite and has lots of reading http://www.netfilter.org/
|
Quote:
Of course, it would be a serious mistake to think of a firewall as being some kind of magic piece of software that makes all of the risks posed by bad guys go away. No one piece of software can do that, and if this is what you want you should be investigating what other measures you should be taking in addition to having a firewall. You might want to look at the iptables documentation at frozentux to see the range of things that iptables/netfilter can do (once configured correctly). |
The netfilter is a packet firewall.
Another type of firewall looks more at the protocols. Netfilter isn't the best as an application firewall, but it that is what you want, look at squid. You might also want to look for documentation on transparent inline firewalls that will use both netfilter and contain an IDS such as Snort. |
Thank you from all...
But I think I was not clear on my question. I'm trying to put it in a better way; We have different type of firewalls except netfilter/iptables such as those in Windows system which I'm not aware how Exactly they work... I'm saying if I suggest somebody to use iptables as a firewall (assuming they configure it correctly and completely!), what are the possible drawbacks with this iptables firewall? Are there any type of known attacks that can ANYWAY, even with a comprehensive and carefully selected rules, compromise the network behind the firewall? I give you a drawback example of iptables inplace as a firewall; If network grow and if get to have segmented LANs and also in case of having DMZ... the complexity of IPtable firewalls can increase a LOT and in some cases it's almost impossible to handle as I heard! I need to think of anything else that can make IPtables as "not a good choice" for firewall in my network... and this is what I'm searching for! Any more idea will be appreciated, Thanks, |
Quote:
Quote:
Quote:
Quote:
|
Quote:
In other words, I've also read the complaint you're describing -- normally in favor of a different packet filtering firewall. But I don't agree with it. |
Quote:
In general, windows end users are not prepared to configure several security products and want a 'one stop shop', and, amongst other things, this leads to an idiotically misconceived notion of what a firewall does for them. If you understand what a firewall does, and you know how to configure it correctly (and a prerequisite for that is to understand networking), then iptables/netfilter does what it does well. If you don't understand why this isn't a complete protection against assorted types of malware, you have more homework to do. Quote:
Quote:
Quote:
To avoid this you have to get both the network structure correct and be thoughtful about how you configure the ruleset. I think that you will be able to find many examples where people did not do one or the other of these. If you structure things badly you will have problems as things grow and as, at the time that write the initial ruleset you may not even anticipate that you will have a DMZ, this is unfotunatley easy. Quote:
|
win32sux, your explanation is reasonable and it gave me a better direction to think about whole matter...
Quote:
Maybe the next step for me is to search and study those possible attacks on iptables... and how I can minimize the possibility of those. |
Quote:
|
... and just to point out that every Linux system comes with iptables by default. You would tweak each machine's f/w to do whatever is appropriate.
You don't just setup a massively complex f/w n the gateway and hope it suffices. It won't do the job. |
First of all, iptables isn't a firewall. It is a command to manipulate the netfilter rules in the kernel. Netfilter also allows plugins so that you can have some tasks be performed by programs (compiled or scripts) outside the kernel. This is often used for using Dans Guardian with a database backend to use a massive blacklist. One restriction of the kernel is the amount of memory you can use. So you can't simply import a blacklist of 50,000 IP addresses. You can use a plugin however and offload this to a script or program that determines whether to blacklist a site.
There are programs that provide a GUI frontend to iptables that you can use to design your rules. If you want to learn about shortcoming of firewalls, I would suggest buying the "Nmap Book". It has information on how it is sometimes possible to use certain scans that might get through a firewall. Another limitation may be hardware related. The x86 architecture has a limited bandwidth. A dedicated firewall device may use hardware to do some things that are normally handled in software. But don't be surprised if such a device is also Linux based. Many Cisco devices for example run linux. |
All times are GMT -5. The time now is 07:19 PM. |