Firewall script help

To: "'debian-firewall@lists.debian.org'" <debian-firewall@lists.debian.org>
Subject: Firewall script help
From: "Rosenstrauch, David" <david.rosenstrauch@csfb.com>
Date: Tue, 10 Feb 2004 20:26:03 -0000
Message-id: <[🔎] 52B292D2283A9441AB8F8D23468A62FF050A9530@snyc11p32003.csfb.cs-group.com>

Can anyone offer some help with a firewall script?

I used firestarter (v0.8.2 from Debian woody) to generate a script for me
which, if it was doing what I wanted, would be sufficient.  (I just need a
basic firewall, not something industrial strength.)  Problem is that it's not
doing what I wanted.

Although it generates the script OK, the script doesn't do complete stealthing
of ports - particularly high-numbered ports (> 1024).  Apparently (as I found
out from a forum post) this is a known "feature" (i.e., intentional) in that
version but apparently is fixed in the 0.9.x versions.  Problem is that I
wasn't able to install 0.9 (which is in Debian sarge) onto my woody box due to
dependency probs.

I did a bit of reading up on firewall scripts and iptables and know that it's
not a complete black art, but it really is beyond my current expertise right
now to write a good firewall script, and it would take a huge investment of
time to come up to speed enough to do it properly.

I'm basically just looking for a script that does pretty standard firewall
stuff:

* stealth all (including high) ports for incoming traffic except for the few I
want to leave open for services
* do some basic anti-hacking packet filtering to defend against bad, forged,
smurfed packets, etc.

I normally prefer hardware firewalls, but since I don't have physical access
to the box, that's not an option.  Firestarter seemed like a really good
option for my situation, but I can't get it to do what I need.

Any assistance here would be greatly appreciated!  TIA!

DR


==============================================================================
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==============================================================================

Reply to:

Prev by Date: Re: ip_conntrack
Next by Date: Re: new comer
Previous by thread: Re: new comer
Next by thread: Atari-Demande de support
Index(es):
- Date
- Thread