> Thanks Manfred,
> We don't use multicast, we just need our email server to communicate
> with email gateway and a few users to be able to access some other
> IP services.
> I'm familiar with CISCO access lists. Does Linux work the same way?
> I mean does it allow restricting particular ports, not just IP
Yes, ipchains can filter by ports, protocols, addresses. For TCP it
can also filter new, incoming connections (SYN=1, ACK=0).
iptables is even more capable but IMHO not quite ready for prime-time.
Quote:> I'm a little confused about the version.
The only versions that matter are the Linux kernel version (what I
referred to) and the versions of the important libraries (libc).
Distros really only differ in the decorations they add and the
security compromises they introduce.
Quote:> I can see RedHat, Mandrake, Debian, etc. I guess the question is
> which distro is better for our needs?
None of the main distros are any good for a firewall. They are
feature driven and bloated, at least out of the box, they also install
all sorts of things that compromise security. Try not to run any
servers on the firewall box. Certainly don't run linuxconf, sendmail
or bind. A firewall also should not have program development support
(why give tools to a cracker?) and it does not need big-time scripting
support (perl). Man pages and other docs are also not necessary.
If you need remote admin, install ssh and rsync.
Consider logging to a separate host or at least put /var on a
Implement a means of intrusion detection. F.e. a procedure to
periodically check binaries and config files against read-only
media. Or install tripwire.
You could look at the Linux Router Project or other singe/dual floppy
Linux distros. Or install Debian on another system and just copy the
bare minimum of files over to the firewall host. If it doesn't fit
inside 10MB it is too big. ;)
A lean and mean installation is also very easy to re-install should
the need arise. Just keep a full image on a CD or ZIP disk.
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>