Re: Iptables firewall

To: debian-firewall@lists.debian.org
Subject: Re: Iptables firewall
From: Daniel Pittman <daniel@rimspace.net>
Date: Mon, 19 Jul 2004 16:20:27 +1000
Message-id: <[🔎] 87hds4v7pw.fsf@enki.rimspace.net>
References: <[🔎] 40FABD9B.80106@verizon.net> <[🔎] 87ekn8j1kn.fsf@enki.rimspace.net> <[🔎] 64872.68.121.150.231.1090215970.squirrel@webmail.humboldt.edu>

On 19 Jul 2004, jmm wrote:
>> On 19 Jul 2004, Sykotic wrote:
>>> Does anyone know where I could find like a tutorial or reference for
>>> using IPTables to build a firewall for just 1 pc? All the documents I've
>>> found mainly covered the use of IPTables for routing on a gateway
>>> machine...and really just glossed over the firewalling aspect.
>>
>> Well, most people build their security as "crunchy on the outside,
>> squishy in the middle" -- they only put a firewall on the outside.
>>
>> That said, there really isn't a great deal of difference between
>> firewalling a single machine and firewalling a network on a router.
>>
>> Packets destined to the local machine come through the 'INPUT' chain,
>> rather than the 'FORWARD' chain, but are otherwise identical.
>>
>>
>> Personally, I use the 'filehol' script, available as part of testing and
>> unstable, or at <http://firehol.sf.net/>, which is a nice wrapper over
>> iptables.
>>
>> It also has a "wizard" that will generate a template rule file that
>> allows access to the services that are already running. That can be a
>> nice head-start on getting things working.
>
> Just for simplicity, if I have Bastille and I want to try 'filehol' is it
> better to stop Bastille or I can run both of them at the same time?

That depends on what you are having Bastille do, pretty much.

It is a good idea to run only one firewall package at a time, since they
will usually ignore, and occasionally confuse, each other.

If you do try firehol after starting the Bastille firewall you will
discover that any rules it created are simply ignored, and only those
defined by firehol are used.

This isn't an intentional sabotage, though, simply a reflection of the
fact that almost every firewall tool is intended to be in sole control
of the system -- and that security is more than likely to be compromised
if that isn't the case.

That said, I have never used the Bastille package, so I can't comment on
the effect of running them both at once.

Regards,
        Daniel
-- 
As an adolescent I aspired to lasting fame, I craved factual certainty, and I
thirsted for a meaningful vision of human life -- so I became a scientist.
This is like becoming an archbishop so you can meet girls.
        -- Matt Cartmill

Reply to:

Follow-Ups:
- Re: Iptables firewall
  - From: jmm19@humboldt.edu

References:
- Iptables firewall
  - From: Sykotic <sykoticchaos@verizon.net>
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu

Prev by Date: Re: Iptables firewall
Next by Date: Re: Iptables firewall
Previous by thread: Re: Iptables firewall
Next by thread: Re: Iptables firewall
Index(es):
- Date
- Thread