Re: Firewalls <- It's built-in dude, grab some sample scripts or a GUI tool On Wed, 02 Aug 2000, Vinay Kudithipudi wrote: > Can u recommend a nice firewall for linux. Yeah, Linux. ;->>> Seriously now, you don't want to use anything but Linux's kernel-level "IPChains." > I am fairly new to linux, so something with easier installation > options would be great.. Er, I don't know what you mean but "easier installation options" and I understand you are new, but the stock Linux kernel comes with so damn powerful stuff in its native IPChains. There is no need to look anywhere else (and you wouldn't want to anyway). There are several ways to "tame" IPChains. First off, most distros now come with a basic "deny all" (or similiar) firewall script. Secondly, there are a crapload of scripts out there. Third, there are at least a half-dozen GUI interfaces to IPChains now. In a nutshell, you do NOT want a firewall to be "easy" to configure. Security should never be "easy". At the same time, you want to be able to "do it once and never touch it again" and that is IPChains (with exception of occassional kernel updates, although your script will probably never need to change). I think the GUIs, like anything in Linux, do a great job of helping you configure IPChains, but you want to be able to always "get to all the guts" if you need to (something that I hate about Windows because I cannot bypass the GUI). Lastly, some of these "black box" firewalling solutions are half-@$$ IMHO. They would rather "make it easy for you" by letting known, problematic/unsecure services/sessions through than have you worry about tweaking and support. Everyday, vendors create new services on various ports that are piss-poor designed and require the firewall to make concessions on how to connection and what to let through. The Linux kernel has a number of modules to "tame" these services (e.g., FTP, Quake, etc...) unlike most of these PnP boxes that let more in that you'd normally want. -- TheBS P.S. And there are always people like me and other LUG devotees you will help you write a good script. If anything, the more eyes the better because there is a better chance someone will see a mistake in a rule anyway. -- Bryan "TheBS" Smith CONTACT INFO *********************************************************** Chat: thebs413 @ AOL/MSN/Yahoo (see http://Everybuddy.com) Email: mailto:thebs@theseus.com,b.j.smith@ieee.org Legal: http://www.SmithConcepts.com/legal.html - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
