*Official* Firewall settings thread - How is your firewall setup?

[Chadder007]

What do you use as a firewall? What settings, what software? Do you use an extra old PC laying around and install linux to, and let it serve as a firewall server? Anyone use just a router and its settings as a firewall? Do you lock down each and every port that you don't use down on a router ?
Just a thread to let others know how each of us setups up a firewall of our own.

Personally I just use the router's SPI and NAT defaults and I have ZoneAlarm installed.

 

[Need4Speed]

1. debain+netfilter (iptables)
2. settings: too many rules to list
3. yes...compaq proliant 2500 - 200pro, 128mb 4.3 scsi

 

[RhythmAddict]

I use a cisco 2500 series router w/fw feature set....
I have it set up with ip inspects (basically stateful packet inspection) and i Deny all ports with a couple of exceptions (as opposed to allowing all and denying a few) Basically, any traffic initiated from my machine (requests) is allowed to come back in the requested port, but no random request to any port can be made (unless it is explicitly permitted) that is just the brink of the settings, but i think it paints the general idea....Of course I'm running NAT and all that jazz too...
I dont really have highly valued data on my network, it is more just a hobby type thing..

 

[Nothinman]

I dont really have highly valued data on my network, it is more just a hobby type thing..

Sure you do, machines that could potentially be used in a DoS attack if they were taken over, that should be reason enough to protect yourself.

I have a Sun Ultra1 running Debian with netfilter. I allow a handfull of ports that need to be explicitly opened (www, smtp, imaps, etc) and forwarded to internal machines (a few to my server and a few to my workstation) and the rest are just dropped.

 

[DannyBoy]

Originally posted by: Nothinman

I dont really have highly valued data on my network, it is more just a hobby type thing..

Sure you do, machines that could potentially be used in a DoS attack if they were taken over, that should be reason enough to protect yourself.

I have a Sun Ultra1 running Debian with netfilter. I allow a handfull of ports that need to be explicitly opened (www, smtp, imaps, etc) and forwarded to internal machines (a few to my server and a few to my workstation) and the rest are just dropped.

You seem to have a high knowledge on this

Is there anything I could use on a p2 400 128mb ram to act as a firewall that supports a cable modem?

 

[Need4Speed]

Originally posted by: DannyBoy

Originally posted by: Nothinman

I dont really have highly valued data on my network, it is more just a hobby type thing..

Sure you do, machines that could potentially be used in a DoS attack if they were taken over, that should be reason enough to protect yourself.

I have a Sun Ultra1 running Debian with netfilter. I allow a handfull of ports that need to be explicitly opened (www, smtp, imaps, etc) and forwarded to internal machines (a few to my server and a few to my workstation) and the rest are just dropped.

You seem to have a high knowledge on this

Is there anything I could use on a p2 400 128mb ram to act as a firewall that supports a cable modem?

any linux distro...with iptaples.
for newbies id say smoothwall and maybe IPcop.

once you get the hang of it you can setup your own netfilter/iptables firewall.
if you feel ambitous, there are a few iptables HOWTO's out there.

might want to check out smoothwall ... it doesnt have a gui though

 

[cmetz]

DannyBoy, OpenBSD if you're a power user or a good learner, and SmoothWall/IP Cop (Linux based firewalls) if you're more of a beginner.

 

[Need4Speed]

i know freebsd supposed to be good for firewalling too, but i have never tried it

 

[Nothinman]

Is there anything I could use on a p2 400 128mb ram to act as a firewall that supports a cable modem?

A P2 400 is more than enough, the Ultra1 I'm using is only 167Mhx and even that seems overkill except for when snort gets busy.

Pretty much anything will work as long as the cable modem works, if it's like mine and just connects via cat5 to your internal network then you can plug it into the NIC in that machine and setup NAT on that machine. Linux, OpenBSD, NetBSD, FreeBSD even Windows all have NAT and firewall capabilities you just have to pick one and learn how to use it properly. OpenBSD is a decent system and I really like pf, but I had some strange issues with it on the Ultra1 because sparc64 is a new arch for them and I much prefer the way Debian handles packages than any of the BSDs. It's really personal preferance but you have to be carefull, a misconfigured firewall can be worse than no firewall at all.