Re: firewall for my laptop ?

To: debian-laptop@lists.debian.org
Subject: Re: firewall for my laptop ?
From: Daniel Pittman <daniel@rimspace.net>
Date: Tue, 30 Dec 2003 12:41:31 +1100
Message-id: <[🔎] 87pte7nktw.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 200312292114.09895.dbroughton@lincsat.com> (Derek Broughton's message of "Mon, 29 Dec 2003 21:14:09 -0400")
References: <[🔎] 3FEB2A9F.60405@wanadoo.fr> <[🔎] 200312261029.32744.dbroughton@lincsat.com> <[🔎] 871xqofqg9.fsf@enki.rimspace.net> <[🔎] 200312292114.09895.dbroughton@lincsat.com>

On Mon, 29 Dec 2003, Derek Broughton wrote:
> On December 28, 2003 07:55 pm, Daniel Pittman wrote:
>> On Fri, 26 Dec 2003, Derek Broughton wrote:
>>
>> > For instance, I completely trust everything on my SOHO network, but
>> > don't trust my connection to the internet. I don't trust anything
>> > but my desktop machine on the client's network, but I _do_ trust
>> > their own internet firewall. So it's often important to be able to
>> > detect details of the connection.
>>
>> While I agree with this, I don't think that the best location to
>> perform this detection is as part of the firewall package itself.
> 
> Right, but some of the firewall builders one might find adequate for a
> fixed-location system don't very well react to having an interface (or
> even different network interfaces) that may come up with different IPs
> depending where you are. 

Hrm.  That wasn't my experience when I worked with a number of them, but
obviously you had a less happy time.  I found that while the rules you
could build were reasonable, the cost in time and effort to make the
"firewall builder" express what I wanted was ... more than doing it by
hand.

> So I think the choice of a firewall package for a laptop is slightly
> more limited than for a desktop machine.

I can see how your experiences would lead to that conclusion.

>> Firehol adds a lot of custom commands to bash, making firewall setup
>> trivial, but is still a shell script under it all. So, you can use
>> that to conditionally execute firewall code.
>>
>> Thanks for the feedback, though, and I will try to remember your
>> point about complexity of rule setup in future.
>
> And I will check out firehol :-) I'm using Guarddog these days, and
> it's working fairly well, but it's the first package I've found
> adequate for my laptop.

Well, 'firehol' doesn't impose any structure on you, so you can build
something that is as flexible (or inflexible) as you like, pretty much.

I am curious -- the packages that didn't cope, what were the problems
you hit?  I would like to know to better advise people in future.

I presume that the issues was, at heart, that the packages assumed that
you had a fixed IP address for the local host and then used that in a
number of places.

       Daniel

-- 
I hate the idea of causes, and if I had to choose between betraying my country
and betraying my friend, I hope I should have the guts to betray my country.
        -- E. M. Forster, _What I Believe_

Reply to:

Follow-Ups:
- Re: firewall for my laptop ?
  - From: Derek Broughton <dbroughton@lincsat.com>

References:
- firewall for my laptop ?
  - From: Jerome BENOIT <jgmbenoit@wanadoo.fr>
- Re: firewall for my laptop ?
  - From: Derek Broughton <dbroughton@lincsat.com>
- Re: firewall for my laptop ?
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: firewall for my laptop ?
  - From: Derek Broughton <dbroughton@lincsat.com>

Prev by Date: Re: firewall for my laptop ?
Next by Date: Re: 2.6.0 Kernel, Lost Keyboard and Mouse
Previous by thread: Re: firewall for my laptop ?
Next by thread: Re: firewall for my laptop ?
Index(es):
- Date
- Thread