Well freesco looks like a good project, just by looking at their web page. They have
a nice support forum.
I will say one thing though, freesco says it supports firewalling and nat. However
they say they use a linux 2.0.38 kernel with IPMasquerad. This means the firewall is
a stateless firewall, which means each packet is looked at on it's own. For a
stateful firewall, packets are looked at on their own, but they are also looked at in
relation to already established connections.
Stateful firewalls are generally simpler to setup, and are a little more secure.
For instance, with ipchains (2.2.x kernel), in order to give a computer access outside
of itself, certain ports will need to be opened so the responding computer can
connect. If you want this sytem to be able to browse the web (port 80), this will
require rules like:
accept source me to wherever on port 80
accept source wherever on port 80 to me on port 1024-65535
deny everything else
Because most connections out of your system will pick a port > 1023, you have to allow
those ports to be open to atleast some source ports. If someone were to scan you with
thier scanner using port 80 as the source, they would have access to all of your ports
> 1023, if you have services (or trojans) up there. In a practical situation, you'll
likely have more source ports open other than just 80. So now, depending on how
strict you want to be, your firewall rules will be more complex, allowing connections
back to 1024-65535 for many ports, and a corresponding rule for each one. The
alternative, which provides a simpler rule set, is to allow all connections back to
1024-65535. Again bad if you have something up there.
With iptables (2.4.x kernel) this can be accomplished like this:
accept source me to anywhere (or just port 80)
accept any packets that are part of an established connection
deny everything else
Now I have no ports open, yet I can connect outside, and receive the response. Even
if there are services (or trojans) on any ports: web, smtp, 31337, etc, with these
rules they can't be connected to. The only ports that can be connected to are the
ones that have been temporarily opened up as the local machine is connecting outside
of it. Packets will only be accepted from one computer on one port with the proper
TCP sequence numbers (like an ID).
With these rules, one can easily block off external traffic, and allow internal
traffic to have access to appropriate ports.
However, freesco isn't trying to be a firewall. It's a router that has some
firewalling capability. So if you want routing, its probably the right thing for you.
If you want firewalling, you may want to use another project. The right component
for each job.
Cory
On Tue, Mar 27, 2001 at 12:47:55PM +0000, Dragon Singer wrote:
> Hi Gang,
> Have any of you looked into freesco? it's at
> http://www.freesco.org I'd appreciate it if one of you gurus would look at
> it and let me know if it's something I want to tinker with or not. I heard
> about it at www.maximumlinux.org. Freesco seems pretty similar ot Coyote
> Linux, but I could be wrong.
> --
> Wayne M. Scace
> &
> Leader Dog Sequoia
>
> [EMAIL PROTECTED]
> Callsign K9DI
> LICQ# 315313
> FISTS# 4409
> QRP-L# 2313
> FPQRP-L# 217
