On Fri, 2005-06-24 at 12:56 +0200, Kenneth Kalmer wrote: > Guys > > I've built several iptables-based firewalls for some clients and > personal use. Some of them are horrors, now that I look back on > them... I want to build my own 'all-in-one' firewall for the most > common network setups I use... I've used various other GPL'ed scripts > for references in past firewalls and they do tend to open one's eyes a > bit, thanks for everyone who released their scripts under the GPL. > > I understand iptables, so that's covered. I'm constantly researching > security cause it's so damn interesting to see the precautions some > people take, and the level of protection you yourself would never even > have dreamed about... > > Now, these are the features (independent of implementation) that I've > considered to put into my firewall: > - Support for multiple interfaces on both LAN & WAN > - NAT & DMZ > - Black lists for inbound & outbound traffic > - Host services (global or per interface, allows seperation between > LAN & WAN services) > - Access control on MAC, IP, or MAC-IP pairing > - Administrative services (SSH) access control on MAC or MAC-IP pairing > - VPN (IPSec, PPTP & SSL) > - QoS > - ICMP control > - Managed logging > - Expansion through custom chains* > > * Expansion through custom chains might help those often found > scenarios that render your standard firewall inoperable. By creating > say, a PREINPUT chain or POSTINPUT chain, another script can modify > that chain for any function not covered by the standard firewall > features. > > I've got the "Modular Firewall Product Certification Criteria version > 4.1" from ICSAlabs, but I've not had any time to investigate it yet. > > Please remember, this discussion is intended to be about features, not > implementation. I'll cross that bridge when I get there... > > Any suggestions & advice would be appreciated. > > Kind regards > May I suggest taking a look at ISCS (http://iscs.sourceforge.net) and see if it gets you close to what you seek. It's not a script but rather a very flexible configurator that allows relatively easy management of some of the complex features you cite - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
