[lug] BLUG Meeting Summary for March 9, 2000

Wayde Allen wallen at boulder.nist.gov
Thu Mar 16 11:23:06 MST 2000 


            Boulder Linux User's Group Meeting Summary
            ==========================================


Attendance: approximately 92

Synopsis:

First a plug for CLIQ <http://www.thecliq.com>.

Then Kevin Fenzi <kevin at scrye.com>, coauthor of the Linux Security Howto
<http://metalab.unc.edu/mdw/HOWTO/Security-HOWTO.html>, spoke about
firewalls.

He briefly touched on various firewall architectures, although nothing
complicated.  The difference between a simple firewall gateway and a full
DMZ was touched on, eg

    Internet -> router -> DMZ -> firewall -> lan

where your web, dns, smtp, etc... lives in the DMZ, with access to the
internal lan controlled by the firewall. 

Next the different firewall tools in Linux were discussed, including
IPFWADM, IPCHAINS and IPFILTER (for the 2.4 kernel). 

IPFWADM and IPCHAINS are quite similar, see the Firewall HOWTO
<http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html>. Both of
them work entirely in the kernel (although there are ways to trick
IPCHAINS into doing limited user mode filtering), and are limited in how
they evaluate a packet. 

IPFILTER is different.  It will provide the ability to run user mode code. 
This allows the possibility of filtering and controlling specific
connections in a stateful fashion, which seems like a good thing.  (ed: I
haven't evaluated ipfilter yet, so I don't really know). 

Kevin pointed us at various resources for firewalls, including isinglass
<http://www.tummy.com/isinglass/>, nerdherd, and some others (in my
notes). 

There were various questions on proxy vs. filtering firewalls (proxies are
considered passe), when to use DENY vs REJECT (reject on internal
walls to keep HR out of engineering, deny for real firewalls).  There
may have been some other useful questions, I'll have to check my notes.

Lastly, someone brought in a copy of UnixWare to be raffled off, along
with a few KRUD disks and a "Linux Users Parking Only" sign from Softpro
Books.  Guess which one everyone wanted? ;-). 

Archer Sully
Linux-hacker wannabe.

More information about the LUG mailing list