On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote: > [EMAIL PROTECTED] writes: > > > If you look at the number of lines of rules you make, and compare it > > to the number of lines (pages!) of iptables rules it makes, you see > > that shorewall is easier. Also the syntax is easier. Changes are > > far easier. Besides, the shorewall book is the best book I've found > > for understanding iptables. > > shorewall creates pages of iptables rules and that is considered a > good thing? What happened to KISS? > Yes it is a good thing. The purpose of a firewall is to block anything that you don't explicitly want through. If you don't want anything don't put any 'allow' stuff. Then the default rules of deny all is in effect. The issue is that there are different protocols for the same service (e.g. UDP, UTP, etc). Each little pinprick you want opened takes a few rules to keep it to a specific pinprick. If you did it manually with fewer rules you would have a more porus firewall or you wouldn't have the services you want traversing the firewall. If you used too few rules you would have a screen door.
For comparision, go to tldp and get the securing-linux manual (redhat edition). Its in pdf format. That author took the same approach you suggest and does everything except the base install by hand. Read the section on firewall. See the pages of rules he has in his firewall script. He explains it all too. The only ways I know of to KISS a firewall are ipmasq and shorewall. Shorewall makes a better firewall so it makes more rules. Your choice. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
