Sometime Today, Pankaj Jangid assembled some asciibets to say:
On Mon, Oct 29, 2001 at 12:26:56AM +0530, Philip S Tellis wrote:
Alternately, OpenBSD, was designed from the ground up as a secure unix, and is probably your best choice for a pure unix implementation. OpenBSD servers and firewalls are extremely secure.
You said earlier that default secure systems are some times very uneasy to use (for end/new users). What about OpenBSD ?
Basically, distributions that are targeted at end users (non geeks) are insecure by default. OpenBSD isn't targeted at end users, it is targeted at server/firewall administrators. Geeky end users would use it too, but not the average windows user. The average windows user is more likely to pick something like Redhat or Mandrake for his switch to linux. A default secure redhat system would create too many surprises for the user (at least that's the logic), although I don't see why the average user would need a telnet and ftp server running on his machine by default.
Personally, I feel that a default insecure system would be good if clearly marked as being so. That way, the admin gets to learn a lot while securing his system. Of course, they would also need to mark what exactly is insecure, but I think the Redhat manuals have that in there.
What are discard and time (not daytime) services ?
discard == network equivalent of /dev/null. Anything written to it is sent to /dev/null, nothing can be read from it.
time returns the current time of the host, and can be used to good effect in an IP spoofing attack, or attacks that utilise a timestamp for encryption (APOP is an example).
After applying proper rules in the ipfilter will this (hosts.{allow|deny}) not make the system (I mean network access) slow without any further effect.
hosts.{allow,deny} (notice it's a comma not a pipe) doesn't make your system too much slower. It runs in user space, so doesn't take up valuable kernel memory.
ipfilter, ipchains runs in kernel space, and will actually make your machine slower depending on how many rules you have in your default chains. If you use chaining to good effect, it can help.
Besides, IPChains is best suited for a firewall where it can sit transparently, and filter traffic from one nic to another. TCPWrappers is better suited for single hosts as it doesn't do the NAT that ip{chains,filter} do.
ipchains can also check udp and icmp messages.
Philip