I'm replacing my current ipchains-based firewall, which serves a small
internal LAN of 3 machines, with one that runs iptables/netfilter.
Since I offer no services (yet), the goal is to make this IP address
invisible to port scans and other grotesques from the internet, while
interfering as little as possible with a variety of protocols that the
internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc).
So, I created a new Woody installation on a 486/66 DX2 with 24MB of RAM
and 1GB of hard drive space, separated into various partitions to avoid
overflowing logs and such. Then I applied the objectives outlined in
Securing Debian [http://debian.org/doc/manuals/securing-debian-how-to/].
Next I compiled a custom kernel that has all the appropriate modules
hard-coded, to avoid the additional security risk of loadable modules.
Now I'm ready to actually create the ruleset (or chains, whatever they
are called) for the firewall. I understand the basic concepts behind
iptables/netfilter, but frankly, there are so many variables that I've
decided to start out with a pre-made firewall script, as I did with
I would like some input as to which script(s) the reader considers the
most secure vs ease of use. The one I'm leaning towards is Monmotha's
It seems to satisfy my desire for all-out security paranoia, while still
being simple to configure.
Another candidate was NARC
but its complexity is discouraging. However, if it were to offer better
security than Monmotha's script, I might be willing to take another
I also experimented with FWBuilder [http://www.fwbuilder.org] which is
available directly as a .deb package. While it looks very capable, I'd
essentially have to design the firewall from scratch. Since I might
miss something, I've ruled this out.
Thanks in advance,
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact