[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Searching for an appropriate iptables script

On 8 Feb 2002 01:51 PM, martin f krafft wrote:

>> I also experimented with FWBuilder [http://www.fwbuilder.org]
>> which is available directly as a .deb package.  While it looks
>> very capable, I'd essentially have to design the firewall from
>> scratch.  Since I might miss something, I've ruled this out.

> nah, build your firewall from scratch! it's good practice and
> a requirement, or else you won't understand your firewall, and
> an admin who doesn't understand the firewall might also just
> not need a firewall.

Well, ideally I would understand everything about my firewall, yes.  And
writing the script would certainly result in my knowing exactly what it
does.  That having been said, I don't want to have the network in a
state of disarray, with some things working and others not, while I try
to figure out how things work.  This is what I already have with
ipchains now, namely, file transfers/direct connections don't work (DCC,
ICQ, etc).

I guess the better option is to start from scratch, and I will try that.
But then I run into this problem:  I've gleaned a lot of helpful
responses off this list, but I'm still wary of posting my exact ipchains
or iptables ruleset in its entirely for anyone with a browser or mail
client to examine for correctness.  Being the ultraconservative paranoid
type, I think that seems tantamount to inviting an unfriendly to come
along and poke holes in it.  I *wouldn't* mind intrusion testing, but
only by trustworthy folks.  ;)

Last but not least, it's difficult to gauge my success (or failure)
because I can't use a machine *outside* the firewall to run nmap against
this setup.  Yes, I do have another system with Linux, but it's not
located right next to this one, where I could immediately make changes
and observe results.  Perhaps in the near future I can run a dial-up for
that purpose, though.

Jeff Bonner

Reply to: