also sprach Jeff Bonner <firstname.lastname@example.org> [2002.02.07.0916 +0100]: > Since I offer no services (yet), the goal is to make this IP address > invisible to port scans and other grotesques from the internet, while > interfering as little as possible with a variety of protocols that the > internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc). good luck. contrary to the beliefs of people in marketing and other proclaimed security experts and manufacturers of the infamous desktop or personal firewall maladies, you can't make your system invisible but by unplugging the network cable. oh yes, you *can* DROP all, but then you might just unplug the cable anyway. > I also experimented with FWBuilder [http://www.fwbuilder.org] which is > available directly as a .deb package. While it looks very capable, I'd > essentially have to design the firewall from scratch. Since I might > miss something, I've ruled this out. this is a common misunderstanding. when you miss something when building a firewall, you disable a service. alright, maybe some form of DoS right there, but you can fix it. if you take a pre-configured firewall (or something like Checkpoint Firewall-1 Wizards, ::choke::), you might also miss something - and end up allowing more traffic than wanted. nah, build your firewall from scratch! it's good practice and a requirement, or else you won't understand your firewall, and an admin who doesn't understand the firewall might also just not need a firewall. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck first snow, then silence. this thousand dollar screen dies so beautifully.
Description: PGP signature