aspose file tools*
The moose likes Linux / UNIX and the fly likes Importance of Firewall in Linux Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "Importance of Firewall in Linux" Watch "Importance of Firewall in Linux" New topic
Author

Importance of Firewall in Linux

Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15300
    
    6

Ok, this might be a bit lengthly, so bare with me. There is some setup to this.
I am in the process of hosting my own Web Server, Mail Server, FTP Server, and whatever else I can think of from my home. I plan on running Linux everything for obvious reasons.
I have a LINKSYS router. I have disabled remote administration and PING on my router. So to the outside world, it is pretty invisible. Priliminary testing, I have setup a web server and an FTP server, both on standard ports 80 and 21. I setup port forwarding on my router so that incoming requests on those ports get forwarded to the appropriate internal address. All works beautifully.
So now I am concerning myself with security. My web site I have hosted at IMHosted does not get a lot of traffic. It's more for me and my friend to document things, but we still want it available. Anyway, I know how to handle IPTables in Linux but I am wondering if I REALLY need to do this?
Here is my thought: Linux is pretty darn secure in the sense that I don't have to worry a lot about worms and viruses. My biggest concern on my Web Server is DoS attacks. Now I know that if I am getting a DoS attack and can determine the IP range I could use IPTables to block that IP range until the attack was over. This is something I can't do with my router alone without just turning of port 80 forwarding.
But I am not sure if I want to deal with a firewall for the simple little things I am doing.
In a nutshell, how important is having a firewall in front of a LINUX backend for a home environment like I am setting up? Just looking for opinions and suggestions here.
Thanks.
[ August 29, 2003: Message edited by: Gregg Bolinger ]

GenRocket - Experts at Building Test Data
Frank Carver
Sheriff

Joined: Jan 07, 1999
Posts: 6920
I am in the process of hosting my own Web Server, Mail Server, FTP Server, and whatever else I can think of from my home. I plan on running Linux everything for obvious reasons.
I do something similar, although the web server is not really "public", as my cable provider is not as tolerant as your DSL supplier seems to be. I access the system to read my home email via a web front end while I'm on a client site behind a firewall, and so on.
Anyway. I use a specialised Linux distribution which incorporates a firewall for just this sort of application. So far it's been *much* more robust and intruder-proof than a stock RedHat system I ran at a colocation facility for a while (sad story on request).
I find that this distribution offers everything I need in a web/mail/FTP/file server without all the bloat installed by a typical "desktop" Linux distribution. I have been running e-smith happily for several years (and several versions).
Check out http://www.e-smith.org/ for the software I use. There are also some others, but I haven't tried them seriously.


Read about me at frankcarver.me ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15300
    
    6

Thanks Frank. I will look into that.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

I firewall in the router, in each of the front-end LAN Linux machines AND on the NAT pass-through to the back-end LAN Windows Machines. Firewalls have been known to have bugs, but the odds of all 3 firewalls succumbing to the same bug (especially when different software is involved) are fairly low. As is the likelihood that I would have missed an exploit in all 3 sets of rules.
I suppose there's a performance penalty, but I consider cheap insurance.


Customer surveys are for companies who didn't pay proper attention to begin with.
Andrew Monkhouse
author and jackaroo
Marshal Commander

Joined: Mar 28, 2003
Posts: 11525
    
100

I also have a router which has an inbuilt firewall and my Linux box which serves up both my girlfriends and my web pages.
I still run the firewall on my Linux box as well as having the router's firewall. IPTables is fairly easy to setup when basically denying everything (or nearly everything) and it gives me an extra line of defence if ever the router's firewall failed.
Regards, Andrew


The Sun Certified Java Developer Exam with J2SE 5: paper version from Amazon, PDF from Apress, Online reference: Books 24x7 Personal blog
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
You might also want to check out ClarkConnect.
Awesome distro that provides many features you
are looking for. It's based on Red Hat 9.0 by the way if
that means anything. The installation is soo simple
and provides a very friendly web-based UI for administration.
http://www.clarkconnect.org
[ September 02, 2003: Message edited by: Hung Tang ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Importance of Firewall in Linux