Is my computer safe enough if I use just iptables?

Timothy Payne tim at tmpco.com
Sat Oct 16 06:27:20 UTC 2004 

Don't laugh, OK go ahead, I set up an old P75 w/16 mb of ram on a piece
of 3/4" plywood.  My apt. is small and it fits under an end table.  All
I needed was a floppy drive and 2 nics, see www.freesco.org for an easy
firewall.  And yes I save all my old computer stuff.

Tim...


On Fri, 2004-10-15 at 07:58, Scot L. Harris wrote:
> On Fri, 2004-10-15 at 09:40, VJ wrote:
> > Scot,
> >   Thanks a lot for your advice. I am now thinking whether I should go for
> > some boxed firewall or not. I used to think Linux was secure enough. I
> > have my IPtables DROP by default and just opening the required holes
> > (HTTP and SMTP) to let these services be used from outside world. I do
> > not let my family login as root. Only I am the boss of the machine. The
> > only reason I got a bit worried was that I am using this machine as my
> > development/tinkering/playing(MythTV etc) machine + FIREWALL, with other
> > machine (XP) being used by my wife.
> > 
> >   I have tested my firewall using Sygate's online Firewall test and also
> > the same from Symantec. Both seemed to say my system was OK but then
> > suggested their own firewall software (which I dismissed as a sale
> > gimmick).
> > 
> >   I am still a bit confused, so I will do more research.
> > 
> 
> I think one of the cheap hardware firewalls would be a good idea in your
> case.  As you are doing development work you could inadvertently open
> your system up and not even realize it.
> 
> Most of these firewalls (linksys, netgear, etc) can be purchased for as
> little at $50.  You may be able to find them even cheaper on line.  You
> also get the added benefit of being able to have multiple systems on
> your local LAN share the Internet connection.
> 
> You might also look for information such as
> 
> http://linux.box.sk/newsread.php?newsid=775
> 
> which discuss how to harden a linux system.  
> 
> I don't agree with everything in that link but much of it is great
> advice.
> 
> You may also want to look at the http://www.bastille-linux.org project. 
> Not sure how up to date it is but they had some great stuff a while
> back.
> 
> The best thing to do is think of defense in depth.  Have a decent
> firewall at the front but if possible run firewalls on each system. 
> Disable unneeded or unused services.  Run tripwire or something similar
> to notify when critical files get changed.  Run chkrootkit or rkhunter
> to scan for known root kits.  Use http://grc.com to scan your external
> system.  Run virus scanning software on any windows box.  If using your
> linux box as a MTA for windows systems run clamav or one of the other
> virus scanning packages.  Keep an eye out for security issues in bugtraq
> and fedora announcement lists.  Disable telnet, ftp, use ssh and scp
> instead.  Disable root from logging in directly and restrict what users
> can log in remotely to your system.
> 
> There a lot of good resources out there.  But the best thing is to be
> really paranoid.  Because they are out to get you!  :)
> 
> 
> -- 
> Scot L. Harris
> webid at cfl.rr.com
> 
> No yak too dirty; no dumpster too hollow.

More information about the fedora-list mailing list