Re: Starting iptables

[dtutty@porchlight.ca]

On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
> dtutty@porchlight.ca writes:
> 
> > If you look at the number of lines of rules you make, and compare it
> > to the number of lines (pages!) of iptables rules it makes, you see
> > that shorewall is easier.  Also the syntax is easier.  Changes are
> > far easier.  Besides, the shorewall book is the best book I've found
> > for understanding iptables.  
> 
> shorewall creates pages of iptables rules and that is considered a
> good thing? What happened to KISS?
> 
Yes it is a good thing.  The purpose of a firewall is to block anything
that you don't explicitly want through.  If you don't want anything
don't put any 'allow' stuff.  Then the default rules of deny all is in
effect.  The issue is that there are different protocols for the same
service (e.g. UDP, UTP, etc).  Each little pinprick you want opened
takes a few rules to keep it to a specific pinprick.  If you did it
manually with fewer rules you would have a more porus firewall or you
wouldn't have the services you want traversing the firewall.  If you
used too few rules you would have a screen door.

For comparision, go to tldp and get the securing-linux manual (redhat
edition).  Its in pdf format.  That author took the same approach you
suggest and does everything except the base install by hand.  Read the
section on firewall.  See the pages of rules he has in his firewall
script.  He explains it all too.

The only ways I know of to KISS a firewall are ipmasq and shorewall.
Shorewall makes a better firewall so it makes more rules.

Your choice.

Doug.