Re: Searching for an appropriate iptables script

To: debian-firewall@lists.debian.org
Subject: Re: Searching for an appropriate iptables script
From: martin f krafft <madduck@madduck.net>
Date: Sun, 10 Feb 2002 16:52:53 +0100
Message-id: <[🔎] 20020210155253.GC2473@fishbowl.madduck.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 006f01c1b11c$2f676370$0200a8c0@JEFF>
References: <[🔎] 20020208185040.GH28205@fishbowl.madduck.net> <[🔎] 006f01c1b11c$2f676370$0200a8c0@JEFF>

also sprach Jeff Bonner <jeff@integralogic.com> [2002.02.09.0445 +0100]:
> Well, ideally I would understand everything about my firewall, yes.  And
> writing the script would certainly result in my knowing exactly what it
> does.  That having been said, I don't want to have the network in a
> state of disarray, with some things working and others not, while I try
> to figure out how things work.  This is what I already have with
> ipchains now, namely, file transfers/direct connections don't work (DCC,
> ICQ, etc).

so ask us. it sounds like you are being stopped by standard problems.

there are modules for ipchains to support DCC and ICQ and others. they
should be in /lib/modules/...

> I guess the better option is to start from scratch, and I will try that.
> But then I run into this problem:  I've gleaned a lot of helpful
> responses off this list, but I'm still wary of posting my exact ipchains
> or iptables ruleset in its entirely for anyone with a browser or mail
> client to examine for correctness.  Being the ultraconservative paranoid
> type, I think that seems tantamount to inviting an unfriendly to come
> along and poke holes in it.  I *wouldn't* mind intrusion testing, but
> only by trustworthy folks.  ;)

obscurity is not security. your firewall has to be safe no matter
whether people know the rules or not. i know your IP, so i can
basically map out the rules anyway. hackers are not stupid.

but if you don't want to post to the list, you can always make it
available to people who are actually interested in helping. PGP
encrypt it to me for instance, and you'll know to question me if you
get an attack. but you have control over who sees it.

> Last but not least, it's difficult to gauge my success (or failure)
> because I can't use a machine *outside* the firewall to run nmap
> against this setup.

i'll be happy to help. it's not next door, but it's nmap.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"my father, a good man, told me:
'never lose your ignorance; you cannot replace it.'"
                                               -- erich maria remarque

Attachment: pgpwH3F2uOLKZ.pgp
Description: PGP signature

Reply to:

References:
- Re: Searching for an appropriate iptables script
  - From: martin f krafft <madduck@madduck.net>
- RE: Searching for an appropriate iptables script
  - From: "Jeff Bonner" <jeff@integralogic.com>

Prev by Date: Re: Searching for an appropriate iptables script
Next by Date: [OT] Cable modem problem solved with hub
Previous by thread: Re: Searching for an appropriate iptables script
Next by thread: iptables firewall example
Index(es):
- Date
- Thread