Re: Starting iptables
Advanced Policy Firewall is good for the home user,
http://www.rfxnetworks.com/apf.php
Its a very simple one file configuration with some optional perks.
Define the untrusted IF, its egreess, ingress, tweaks (default values
are already sane) and such stick it in init.d - done. I believe it now
has a semi-guided installer.
Very well documented and well suited for home use. Nowhere near as
capable as shorewall, but I think that's the argument to be made for it
in that setting. The web hosting industry relies on it rather heavily
for shared web servers. It gets clunky after a few hundred rules, but
when would an average user ever have a few hundred rules? :)
HTH
-Tim
On Sun, 2006-10-22 at 09:43 -0700, John L Fjellstad wrote:
> dtutty@porchlight.ca writes:
>
> > On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
> >> dtutty@porchlight.ca writes:
> >>
> >> > If you look at the number of lines of rules you make, and compare it
> >> > to the number of lines (pages!) of iptables rules it makes, you see
> >> > that shorewall is easier. Also the syntax is easier. Changes are
> >> > far easier. Besides, the shorewall book is the best book I've found
> >> > for understanding iptables.
> >>
> >> shorewall creates pages of iptables rules and that is considered a
> >> good thing? What happened to KISS?
> >>
> > Yes it is a good thing. The purpose of a firewall is to block anything
> > that you don't explicitly want through. If you don't want anything
> > don't put any 'allow' stuff. Then the default rules of deny all is in
> > effect. The issue is that there are different protocols for the same
> > service (e.g. UDP, UTP, etc). Each little pinprick you want opened
> > takes a few rules to keep it to a specific pinprick. If you did it
> > manually with fewer rules you would have a more porus firewall or you
> > wouldn't have the services you want traversing the firewall. If you
> > used too few rules you would have a screen door.
>
> Bull. How does few rules create a screen door as opposed to "pages" of
> rules? How many services do you have that you need "pages" of rules?
> How does each pinprick you open not create another entry point? How
> does fewer "pinprick" opened create less security, while more "pinpricks"
> create more security? How is this keeping it simple?
>
> > For comparision, go to tldp and get the securing-linux manual (redhat
> > edition). Its in pdf format. That author took the same approach you
> > suggest and does everything except the base install by hand. Read the
> > section on firewall. See the pages of rules he has in his firewall
> > script. He explains it all too.
>
> I couldn't find the article you were talking about, but I did find a
> Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0. And the number of
> rules are insane. Why would you have an explicit DROP rule when you
> have a DROP policy? Where is the logging? (Yes, he has a comment about
> how he logs selected denied packages, but no logging actually occur) Of
> course, if you want to be the "ultimate-solution", why would you want to
> keep it simple?
>
> Sigh...
>
> > The only ways I know of to KISS a firewall are ipmasq and shorewall.
> > Shorewall makes a better firewall so it makes more rules.
>
> KISS. Keep It Simple. As in as few rules as possible.
> What do you need?
>
> Take a home user. What does he need?
>
> Well, he needs to open the loopback. Rule 1.
> He wants any packages that he started to be let through (RELATED,
> ESTABLISHED). Rule 2.
> Maybe he wants to use p2p. That's a range. If you use bittorrent, you
> might have to open an additional port for the control package. That's 4 rules.
> End it with a LOG rule with rate limit.
>
> That's _five rules_. Use DROP as a policy. How is this _less_ secure than
> having "pages" of rules? How is having _fewer_ rules create more
> insecurity?
>
> --
> John L. Fjellstad
> web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
>
>
Reply to: