Guys I've built several iptables-based firewalls for some clients and personal use. Some of them are horrors, now that I look back on them... I want to build my own 'all-in-one' firewall for the most common network setups I use... I've used various other GPL'ed scripts for references in past firewalls and they do tend to open one's eyes a bit, thanks for everyone who released their scripts under the GPL. I understand iptables, so that's covered. I'm constantly researching security cause it's so damn interesting to see the precautions some people take, and the level of protection you yourself would never even have dreamed about... Now, these are the features (independent of implementation) that I've considered to put into my firewall: - Support for multiple interfaces on both LAN & WAN - NAT & DMZ - Black lists for inbound & outbound traffic - Host services (global or per interface, allows seperation between LAN & WAN services) - Access control on MAC, IP, or MAC-IP pairing - Administrative services (SSH) access control on MAC or MAC-IP pairing - VPN (IPSec, PPTP & SSL) - QoS - ICMP control - Managed logging - Expansion through custom chains* * Expansion through custom chains might help those often found scenarios that render your standard firewall inoperable. By creating say, a PREINPUT chain or POSTINPUT chain, another script can modify that chain for any function not covered by the standard firewall features. I've got the "Modular Firewall Product Certification Criteria version 4.1" from ICSAlabs, but I've not had any time to investigate it yet. Please remember, this discussion is intended to be about features, not implementation. I'll cross that bridge when I get there... Any suggestions & advice would be appreciated. Kind regards -- Kenneth Kalmer kenneth.kalmer@xxxxxxxxx Folding@home stats http://vspx27.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer
