[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Searching for an appropriate iptables script

Jeff,
I have found an incredibly simple system, that some day should be put into a debian package. it's call "agt" and can be found at http://sourceforge.net/projects/agt/ It installs the configuration files in /boot/fw and they are very well commented as to the format required. Read them, they are not long and have a lot of useful information in them. (you can change the location of these files in the Makefile and defs.h) 
Makefile:CONF_PATH = /boot/fw    or wherever you want it.
defs.h:#define AGT_DIR "/boot/fw" make this the same as above.
If you want something that is downloaded, built, configured and running in 10 minutes with no prior knowledge of it... Some day this package might be put into a debian package. It's just a simple no-frills firewall system for machines on cable/dsl/etc... that make NAT configuration simple. 

Hope this helps,
Loren Jordan

At 03:16 AM 02/07/2002 -0500, Jeff Bonner wrote:

I'm replacing my current ipchains-based firewall, which serves a small
internal LAN of 3 machines, with one that runs iptables/netfilter.

Since I offer no services (yet), the goal is to make this IP address
invisible to port scans and other grotesques from the internet, while
interfering as little as possible with a variety of protocols that the
internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc).

So, I created a new Woody installation on a 486/66 DX2 with 24MB of RAM
and 1GB of hard drive space, separated into various partitions to avoid
overflowing logs and such.  Then I applied the objectives outlined in
Securing Debian [http://debian.org/doc/manuals/securing-debian-how-to/].
Next I compiled a custom kernel that has all the appropriate modules
hard-coded, to avoid the additional security risk of loadable modules.

Now I'm ready to actually create the ruleset (or chains, whatever they
are called) for the firewall.  I understand the basic concepts behind
iptables/netfilter, but frankly, there are so many variables that I've
decided to start out with a pre-made firewall script, as I did with
ipchains.

I would like some input as to which script(s) the reader considers the
most secure vs ease of use.  The one I'm leaning towards is Monmotha's
[http://monmotha.mplug.org/firewall/firewall/2.3/rc.firewall-2.3.8-pre4]
.
It seems to satisfy my desire for all-out security paranoia, while still
being simple to configure.

Another candidate was NARC
[http://www.knowplace.org/netfilter/narc.html]
but its complexity is discouraging.  However, if it were to offer better
security than Monmotha's script, I might be willing to take another
look.

I also experimented with FWBuilder [http://www.fwbuilder.org] which is
available directly as a .deb package.  While it looks very capable, I'd
essentially have to design the firewall from scratch.  Since I might
miss something, I've ruled this out.

Thanks in advance,

Jeff Bonner



--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


--
Loren Jordan

Network Security Admin
National White Collar Crime Center
Internet Fraud Complaint Center
Phone (304)363-4312 Ext 2011

http://www.nw3c.org
http://www.ifccfbi.gov
mailto:ljordan@nw3c.org
Reply to: