[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Searching for an appropriate iptables script



also sprach Jeff Bonner <jeff@integralogic.com> [2002.02.07.0916 +0100]:
> Since I offer no services (yet), the goal is to make this IP address
> invisible to port scans and other grotesques from the internet, while
> interfering as little as possible with a variety of protocols that the
> internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc).

good luck. contrary to the beliefs of people in marketing and other
proclaimed security experts and manufacturers of the infamous desktop
or personal firewall maladies, you can't make your system invisible
but by unplugging the network cable. oh yes, you *can* DROP all, but
then you might just unplug the cable anyway.

> I also experimented with FWBuilder [http://www.fwbuilder.org] which is
> available directly as a .deb package.  While it looks very capable, I'd
> essentially have to design the firewall from scratch.  Since I might
> miss something, I've ruled this out.

this is a common misunderstanding. when you miss something when
building a firewall, you disable a service. alright, maybe some form
of DoS right there, but you can fix it. if you take a pre-configured
firewall (or something like Checkpoint Firewall-1 Wizards, ::choke::),
you might also miss something - and end up allowing more traffic than
wanted.

nah, build your firewall from scratch! it's good practice and
a requirement, or else you won't understand your firewall, and an
admin who doesn't understand the firewall might also just not need
a firewall.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
first snow, then silence.
this thousand dollar screen dies
so beautifully.

Attachment: pgp2nkpaeXG4A.pgp
Description: PGP signature


Reply to: