Re: could you give any idea for my firewall script?

To: debian-firewall@lists.debian.org
Subject: Re: could you give any idea for my firewall script?
From: Arnt Karlsen <arnt@c2i.net>
Date: Wed, 8 Jun 2005 15:56:53 +0200
Message-id: <[🔎] 20050608155653.2831fb47.arnt@c2i.net>
In-reply-to: <[🔎] 42A6D2FC.7000402@gear.dyndns.org>
References: <[🔎] 20050608032751.45408.qmail@web42104.mail.yahoo.com> <[🔎] 42A6D2FC.7000402@gear.dyndns.org>

On Wed, 08 Jun 2005 21:14:04 +1000, Paul wrote in message 
<[🔎] 42A6D2FC.7000402@gear.dyndns.org>:

> yuri wrote:
> > Hi all,
> > 
> > I'm makara, a student from Cambodia.I saw a lot of
> > samples about iptables most of these samples not
> > specific OUTPUT, and a little accept all OUTPUT by
> > default. Could you tell me why?(I think OUTPUT is the
> > most importance part. It protect the viruses send
> > something from LAN to external). And hope you give me
> > any idea from my firewall script if possible I hope
> > you tell me what line I shouldn't use, why and what
> > should I use. Thanks for advance. I'm new in Linux and
> > sorry for my english. :(
> 
> If you're new to Linux, start with a higher level tool, like shorewall
> or one of the user-level firewalls.  They generate the rules for you,
> and you are less likely to make silly scripting mistakes.
> 
> I think you and Ansgar are talking about different things: you're
> talking about the output chain, which is output from the firewall
> itself, and he's talking about forwarding traffic out from the LAN.  I
> think both need to be blocked.  The firewall, because it's got no
> business initiating outgoing traffic (with certain exceptions like
> obtaining patches or NTP), and the clients, because they should be
> going via a proxy.  I run a school network with about 400 nodes
> (excluding printers), and i would never allow the machines direct
> access to the Internet.

..and as a stop gap measure until you learn enough to set up proper
firewalls, you may wanna put ipcop-1.4.6 on a box, it has a web
interface, a proxy server to save bandwidth bills, and you put all your
LAN boxes on the "Green" LAN, and all your WIFI boxes (laptops etc), 
on "Blue."

.."Red" is Internet.  

.."Orange" is for web, mail, ftp, time etc servers and toy boxes
like honey pots and tar pits you want Internet people to see and 
try to destroy.  ;o)  

..if you don't know how to set up these toy or, servers, you don't want
_anything_ there.  ;o)

..ipcop works in many ways like ShoreWall.  Find it at
http://ipcop.org/, the major flaw is it is built upon the dead end
i386-only LFS instead of upon the multiple Debian platforms, so that's
on my todo list.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;o)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Reply to:

Follow-Ups:
- Re: could you give any idea for my firewall script?
  - From: Paul Gear <paul@gear.dyndns.org>

References:
- could you give any idea for my firewall script?
  - From: yuri <kingofyuri@yahoo.com>
- Re: could you give any idea for my firewall script?
  - From: Paul Gear <paul@gear.dyndns.org>

Prev by Date: Re: could you give any idea for my firewall script?
Next by Date: Re: could you give any idea for my firewall script?
Previous by thread: Re: could you give any idea for my firewall script?
Next by thread: Re: could you give any idea for my firewall script?
Index(es):
- Date
- Thread