Advanced Policy Firewall is good for the home user, http://www.rfxnetworks.com/apf.php
Its a very simple one file configuration with some optional perks. Define the untrusted IF, its egreess, ingress, tweaks (default values are already sane) and such stick it in init.d - done. I believe it now has a semi-guided installer. Very well documented and well suited for home use. Nowhere near as capable as shorewall, but I think that's the argument to be made for it in that setting. The web hosting industry relies on it rather heavily for shared web servers. It gets clunky after a few hundred rules, but when would an average user ever have a few hundred rules? :) HTH -Tim On Sun, 2006-10-22 at 09:43 -0700, John L Fjellstad wrote: > [EMAIL PROTECTED] writes: > > > On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote: > >> [EMAIL PROTECTED] writes: > >> > >> > If you look at the number of lines of rules you make, and compare it > >> > to the number of lines (pages!) of iptables rules it makes, you see > >> > that shorewall is easier. Also the syntax is easier. Changes are > >> > far easier. Besides, the shorewall book is the best book I've found > >> > for understanding iptables. > >> > >> shorewall creates pages of iptables rules and that is considered a > >> good thing? What happened to KISS? > >> > > Yes it is a good thing. The purpose of a firewall is to block anything > > that you don't explicitly want through. If you don't want anything > > don't put any 'allow' stuff. Then the default rules of deny all is in > > effect. The issue is that there are different protocols for the same > > service (e.g. UDP, UTP, etc). Each little pinprick you want opened > > takes a few rules to keep it to a specific pinprick. If you did it > > manually with fewer rules you would have a more porus firewall or you > > wouldn't have the services you want traversing the firewall. If you > > used too few rules you would have a screen door. > > Bull. How does few rules create a screen door as opposed to "pages" of > rules? How many services do you have that you need "pages" of rules? > How does each pinprick you open not create another entry point? How > does fewer "pinprick" opened create less security, while more "pinpricks" > create more security? How is this keeping it simple? > > > For comparision, go to tldp and get the securing-linux manual (redhat > > edition). Its in pdf format. That author took the same approach you > > suggest and does everything except the base install by hand. Read the > > section on firewall. See the pages of rules he has in his firewall > > script. He explains it all too. > > I couldn't find the article you were talking about, but I did find a > Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0. And the number of > rules are insane. Why would you have an explicit DROP rule when you > have a DROP policy? Where is the logging? (Yes, he has a comment about > how he logs selected denied packages, but no logging actually occur) Of > course, if you want to be the "ultimate-solution", why would you want to > keep it simple? > > Sigh... > > > The only ways I know of to KISS a firewall are ipmasq and shorewall. > > Shorewall makes a better firewall so it makes more rules. > > KISS. Keep It Simple. As in as few rules as possible. > What do you need? > > Take a home user. What does he need? > > Well, he needs to open the loopback. Rule 1. > He wants any packages that he started to be let through (RELATED, > ESTABLISHED). Rule 2. > Maybe he wants to use p2p. That's a range. If you use bittorrent, you > might have to open an additional port for the control package. That's 4 rules. > End it with a LOG rule with rate limit. > > That's _five rules_. Use DROP as a policy. How is this _less_ secure than > having "pages" of rules? How is having _fewer_ rules create more > insecurity? > > -- > John L. Fjellstad > web: http://www.fjellstad.org/ Quis custodiet ipsos custodes > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
