On Thu, Feb 13, 2003 at 02:17:59PM -0500, jereme wrote: > Let me reidirate, this is a _very_bad_ way to conscruct a firewall. A > better arpproach would be to tell us what services you do want to > provide, and to whom, the number of interfaces and their connections, > etc. > > Then you set the default policy on all chains to DENY and open only > those services you intend to provide and can secure. This is then a > good place to start from, their are many other layers of security to > consider, tcpwrappers, ALG's, etc.
The problem with firewall construction is that it requires Joe Pigeon-brained User to acquire arcane expertise in 'the reverse of cracking'. How do you figure out what to allow and what to deny to, say, have a web browser, email and apt-get working, everything those tasks don't need being blocked? How do you figure out what else you can block if you don't mind your browser not being able to play sounds off websites? You have to dig pretty deeply into how networking and the applications concerned operate. The fact that such digging is possible in Linux is great; the fact that it is necessary, not so great. It would be very useful to have some script that would ask you what services you intended to run, and generated scripts for iptables etc. that ensured that only the minimum necessary services were available. I'm figuring that such a thing is not available, because this is one of those questions that brings responses of "hack this, tweak that" as opposed to "apt-get piece_of_debian_magic". Pigeon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
