[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nice init script for firewall to force users through squid

On Mon, 07 Jul 2008, Holger Levsen wrote:
But anyway, I dont think Debian Edu should ship low level firewall scripts based on iptables. Thats way too complicated and error-prone. Instead I'd suggest we use a shorewall based solution. 

or "ferm"

in ferm the postes rules would show like:

table filter chain OUTPUT {
   saddr (10.0.0.0/8  192.168.0.0/16 127.0.0.1) ACCEPT;
   owner gid-owner (proxy daemon root admins) ACCEPT;
   owner uid-owner (bind www-data) ACCEPT;
} 
table filer chain (OUTPUT FORWARD) {
  mod limit limit 1/minute limit-burst 10 ULOG ulog-prefix "rejected";
  proto tcp REJECT reject-with tcp-reset;
  REJECT reject-with icmp-port-unreachable;
}


i don't like DROP and the default policy DROP is also not very nice to
admins which work remote and trie to reloard their rules. also debugging
is a lot simpler with some logs.

ferm also knows functions .. and stuff like that.

--
Florian Reitmeir
Reply to: