Advanced Policy Firewall is good for the home user,
http://www.rfxnetworks.com/apf.php
Its a very simple one file configuration with some optional perks.
Define the untrusted IF, its egreess, ingress, tweaks (default values
are already sane) and such stick it in init.d - done. I believe it now
has
John Hasler <[EMAIL PROTECTED]> writes:
> John L. Fjellstad writes:
>> shorewall creates pages of iptables rules and that is considered a good
>> thing?
>
> You'd rather write them all by hand?
You think creating "pages" of rules is Keeping It Simple?
--
John L. Fjellstad
web: http://www.fjells
[EMAIL PROTECTED] writes:
> On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
>> [EMAIL PROTECTED] writes:
>>
>> > If you look at the number of lines of rules you make, and compare it
>> > to the number of lines (pages!) of iptables rules it makes, you see
>> > that shorewall is e
Doug writes:
> If you did it manually with fewer rules you would have a more porus
> firewall or you wouldn't have the services you want traversing the
> firewall. If you used too few rules you would have a screen door.
Not only is it important to have the right rules, but it is also important
to
John L. Fjellstad writes:
> shorewall creates pages of iptables rules and that is considered a good
> thing?
You'd rather write them all by hand?
--
John Hasler
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
> [EMAIL PROTECTED] writes:
>
> > If you look at the number of lines of rules you make, and compare it
> > to the number of lines (pages!) of iptables rules it makes, you see
> > that shorewall is easier. Also the syntax is easier.
[EMAIL PROTECTED] writes:
> If you look at the number of lines of rules you make, and compare it to
> the number of lines (pages!) of iptables rules it makes, you see that
> shorewall is easier. Also the syntax is easier. Changes are far
> easier. Besides, the shorewall book is the best book I'
On 10/19/2006 06:40 AM, L.V.Gandhi wrote:
On 10/19/06, Mumia W.. <[EMAIL PROTECTED]> wrote:
On 10/19/2006 12:39 AM, cothrige wrote:
> * John Hasler ([EMAIL PROTECTED]) wrote:
>> The name is misleading. Ipmasq configures both NAT and
firewalling. The
>> default configuration is suitable for mo
* Mumia W.. ([EMAIL PROTECTED]) wrote:
>
> This site, http://www.grc.com , has a service called Shields-Up that
> will help you find out what, if any, ports are open on your computer.
>
> Also, "netstat -putl" will let you find out what listening ports are open.
>
Many thanks.
Patrick
--
T
On 10/19/2006 12:39 AM, cothrige wrote:
* John Hasler ([EMAIL PROTECTED]) wrote:
The name is misleading. Ipmasq configures both NAT and firewalling. The
default configuration is suitable for most, but you can tweak the scripts
to do whatever you need.
However, it is not clear that you need a
* John Hasler ([EMAIL PROTECTED]) wrote:
>
> The name is misleading. Ipmasq configures both NAT and firewalling. The
> default configuration is suitable for most, but you can tweak the scripts
> to do whatever you need.
>
> However, it is not clear that you need a firewall at all. If you have
On Wed, Oct 18, 2006 at 01:32:52PM -0500, cothrige wrote:
> * [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> >
> Interesting what you say about ipmasq. How automatic is it? I would
> have assumed that it had more to do with making your machine a
> gateway, which mine isn't, than firewalling it
* H.S. ([EMAIL PROTECTED]) wrote:
[snip]
>
> The line beginning with "pre-up" means to execute the following command
> before the current interface (in whose stanza the line is) is brought up.
>
Very important to know. Many thanks.
Patrick
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
wit
cothrige writes:
> Interesting what you say about ipmasq. How automatic is it? I would
> have assumed that it had more to do with making your machine a gateway,
> which mine isn't, than firewalling itself. I am assuming that it does
> both?
The name is misleading. Ipmasq configures both NAT an
cothrige wrote:
* H.S. ([EMAIL PROTECTED]) wrote:
Well, my custom firewall script does take start, stop and restart
arguments and so I could call it using the rc method. However, I have
thus far used it by calling it with a pre-up line in the stanza for my eth0:
pre-up /etc/myfirewall/firewall.
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
>
> As I see it, you have two choices. If you just want something that
> should do what you want and don't want to have to set anything up, just
> install ipmasq. It determines what the untrusted network is by where
> the default route or gateway po
On Wed, Oct 18, 2006 at 09:06:10AM -0500, cothrige wrote:
> * Kevin Mark ([EMAIL PROTECTED]) wrote:
> > >
> > Hi Patrick,
> > most folks just run 'shorewall'! And you can add more rules if you need
> > to.
> > =Kev
>
> This does seem to be the consensus here. However, as I have never
> used this
* Andrew Sackville-West ([EMAIL PROTECTED]) wrote:
>
> read this
>
> http://www.shorewall.net/standalone.htm
>
> A
Well, there you go. I was completely on the wrong side of the docs.
Thanks for this shortcut. It seems pretty straightforward too. Took
me about five minutes to follow it and ge
On Wed, Oct 18, 2006 at 09:06:10AM -0500, cothrige wrote:
> * Kevin Mark ([EMAIL PROTECTED]) wrote:
> > >
> > Hi Patrick,
> > most folks just run 'shorewall'! And you can add more rules if you need
> > to.
> > =Kev
>
> This does seem to be the consensus here. However, as I have never
> used this
* Kevin Mark ([EMAIL PROTECTED]) wrote:
> >
> Hi Patrick,
> most folks just run 'shorewall'! And you can add more rules if you need
> to.
> =Kev
This does seem to be the consensus here. However, as I have never
used this tool it is a bit intimidating. And the documentation is so
vast it may be
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and t
cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and this does not exist. At least not in my
>
* H.S. ([EMAIL PROTECTED]) wrote:
> Well, my custom firewall script does take start, stop and restart
> arguments and so I could call it using the rc method. However, I have
> thus far used it by calling it with a pre-up line in the stanza for my eth0:
> pre-up /etc/myfirewall/firewall.sh restart
Patrick writes:
> There it recommends putting a script in
> /etc/network/if-up.d to run iptables-restore. This is similar to the
> Gentoo way, except that was somewhat automated with a script in init.d
> which, oddly, Debian is lacking.
The various firewall packages install appropriate scripts.
-
cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and this does not exist. At least not in my
>
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and t
* John Hasler ([EMAIL PROTECTED]) wrote:
> Patrick writes:
> > I suppose that I could do something similar with Debian, but would like
> > to make sure that there is not some more correct way to handle it first.
>
> No more correct but more sensible would be to install one of the several
> package
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and t
Patrick writes:
> I suppose that I could do something similar with Debian, but would like
> to make sure that there is not some more correct way to handle it first.
No more correct but more sensible would be to install one of the several
packages that do exactly what you want. I like ipmasq.
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew Sackville-West wrote:
> On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote:
>> * Andrew Sackville-West ([EMAIL PROTECTED]) wrote:
>>> isn't iptables part of the kernel and therefor up by default when the
>>> kernel starts executing?
>>>
>
* Roberto C. Sanchez ([EMAIL PROTECTED]) wrote:
> >
> Use shorewall.
>
> Regards,
>
> -Roberto
I was just looking at a howto on this. I have never used any of these
tools before as I already had a firewall script which worked. But,
maybe now is as good a time as any to learn how this works.
On Tue, Oct 17, 2006 at 05:15:19PM -0700, Andrew Sackville-West wrote:
> On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote:
> > * Andrew Sackville-West ([EMAIL PROTECTED]) wrote:
> > >
> > > isn't iptables part of the kernel and therefor up by default when the
> > > kernel starts executing?
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and t
On Tue, Oct 17, 2006 at 07:08:47PM -0500, cothrige wrote:
> * Andrew Sackville-West ([EMAIL PROTECTED]) wrote:
> >
> > isn't iptables part of the kernel and therefor up by default when the
> > kernel starts executing?
> >
> > A
>
> Yes, iptables as far as I know is part of the kernel, but the r
* Andrew Sackville-West ([EMAIL PROTECTED]) wrote:
>
> isn't iptables part of the kernel and therefor up by default when the
> kernel starts executing?
>
> A
Yes, iptables as far as I know is part of the kernel, but the rules
must be loaded. In Slackware I would create a script and put it in
r
On Tue, Oct 17, 2006 at 05:45:34PM -0500, cothrige wrote:
> I was wondering about the best way to start iptables with each boot in
> Debian and so I did some googling. I found a Debian Wiki and it gave
> instructions concerning update-rc.d, but this requires a script for
> iptables in init.d and t
36 matches
Mail list logo
