RE: Searching for an appropriate iptables script
On 8 Feb 2002 01:51 PM, martin f krafft wrote:
>> I also experimented with FWBuilder [http://www.fwbuilder.org]
>> which is available directly as a .deb package. While it looks
>> very capable, I'd essentially have to design the firewall from
>> scratch. Since I might miss something, I've ruled this out.
> nah, build your firewall from scratch! it's good practice and
> a requirement, or else you won't understand your firewall, and
> an admin who doesn't understand the firewall might also just
> not need a firewall.
Well, ideally I would understand everything about my firewall, yes. And
writing the script would certainly result in my knowing exactly what it
does. That having been said, I don't want to have the network in a
state of disarray, with some things working and others not, while I try
to figure out how things work. This is what I already have with
ipchains now, namely, file transfers/direct connections don't work (DCC,
ICQ, etc).
I guess the better option is to start from scratch, and I will try that.
But then I run into this problem: I've gleaned a lot of helpful
responses off this list, but I'm still wary of posting my exact ipchains
or iptables ruleset in its entirely for anyone with a browser or mail
client to examine for correctness. Being the ultraconservative paranoid
type, I think that seems tantamount to inviting an unfriendly to come
along and poke holes in it. I *wouldn't* mind intrusion testing, but
only by trustworthy folks. ;)
Last but not least, it's difficult to gauge my success (or failure)
because I can't use a machine *outside* the firewall to run nmap against
this setup. Yes, I do have another system with Linux, but it's not
located right next to this one, where I could immediately make changes
and observe results. Perhaps in the near future I can run a dial-up for
that purpose, though.
Jeff Bonner
Reply to: