On Wed, 2003-08-27 at 07:12, Paul Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, Aug 26, 2003 at 09:12:15PM -0400, Bret Comstock Waldow wrote: > > # A: I was pretty much hounded into providing it. I do not like it. > > # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/ > > # scripts use /etc/ppp/ip-*.d/ script. Create your own custom > > # init.d script -- no need to even name it iptables. Use ferm, > > # ipmasq, ipmenu, guarddog, firestarter, or one of the many other > > # firewall configuration tools available. Do not use the init.d > > # script. > > > For crissake! Can anyone point me at some sensible discussion of how > > the hell to go about putting firewall rules in place? I've got a > > laptop, usually on a cable modem, but sometimes using dial-up. > > Oh, give us a break. You and the unsubscribers have something in > common: You posted the solution to your problem. Use ferm, ipmasq, > ipmenu, guarddog, firestarter, or one of the many other firewall > configuration tools available. Do not use the init.d script.
But please notice two things: 1) If I use one of those tools, it does something, sets up something. What will it do? It's someone else's canned decisions about how to implement the choices I select from what it offers. What do I end up with? Are there any holes? How will I know if other choices I make open up holes because I don't know how it's all coordinated? I'm working with a copy of Real World Linux Security, and the fellow provides a complete firewall for SOHO, and then dissects it to show the concerns and his choices. He also links it to adaptive firewall rules to lock out attackers. And it's for Redhat, Mandrake, etc. I have to reconstruct it for Debian to use it. So I need to know how to plumb it. On running it by hand as an experiment, it locks all access - no browser, mail, etc., so I need to learn more so I can work it all out. And there isn't a lot of discussion I've found yet about the plumbing of firewalling. 2) Other people do indeed have answers to the question - and I haven't seen so much of a discussion of these issues in any of the sources I've Googled yet. The Debian Security manual really falls down on this issue. The book I'm reading points out that many people make the mistake of flushing the rules before adding the new ones - the default policy is ACCEPT. My upset isn't appropriate here. I apologize. I think my questions are appropriate, though. And I don't think leaving documentation like the above is very kind or useful for newbies. If I'm to figure out how to solve the problem, I need to know how, and leaving stress-inducing comments like that in released code is a cop-out. If it's broke, provide a solution, or at least a decent discussion of the issues involved, so I can work one out. Maybe I'll end up figuring one out. Cheers, Bret -- bwaldow at alum dot mit dot edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]