I'm pretty sure that most of what ICS accomplishes is done through iptables, and from what I saw not in too secure a manner (at least it doesn't in the "high" level security setting). For the most part, if you know what you are doing, you can replace /etc/rc.d/rc.firewall script with your own. I'm not too sure how the Mandrake configuration tools are affected by such a move (I find GUI tools sometimes frustrating), but I haven't had any problems so far -- probably because I haven't tried to further alter anything with the tools.
FYI, one of the nicer iptables firewalling scripts I've found for a connection-sharing gateway machine can be obtained here: http://www.linuxguruz.org/iptables/scripts/rc.firewall_023.txt You can find a lot of other good scripts at the same site (http://www.linuxguruz.org/iptables) which makes it a great site for studying how to configure packet filtering and NAT. For those familiar with shell scripting, the above script should be pretty self-explanatory (it actually has decent comments embedded for your learning pleasure), and with a few mods here and there, you should be able to generate a halfway decent firewall. Note that this one allows external machines to ping the firewall, which I prefer to disable. Please make sure that you review these scripts and understand them before blindly using them! It is probably wise to just use them as a guide to writing your own script. Finally, a few good places to test your firewall configuration after you have it set: http://www.dslreports.com/tools http://crypto.yashy.com/nmap.php https://secure1.securityspace.com/smysecure/norisk_index.html Happy firewalling! ROB Lyvim Xaphir wrote: ><snip> > >Now, the downside to this is of course that you cannot access the >internet directly through one of these private addresses. In order to >do that, you must "translate" your local ip addresses into a bona fide >*public* type IP address. This is what's called Network Address >Translation, or NAT. There are several options for installing NAT on >your system such that anyone on your local net can access the internet >thru a system that's connected to the internet. Such a connected system >in this case is called a gateway. One way I do it here (because it's >quick and dirty) is by using the Internet Connection Sharing (ICS for >short) option in the Mandrake Control Panel. The advantage is that if >you have 98 or winblows machines (like I do here), ICS on Mandrake is an >excellently compatible way to get them on the internet all at the same >time, transparently. > >There are probably more superior ways to do this. For example, with the >use of iptables (supposedly an ipchains replacement) you are able to run >a script and instantly set up both NAT, packet filtering, and packet >mangling rules at the same time. (if you know what you are doing.) This >is what I've been interested in. There are alot of scripts out there to >accomplish this, but a lot of it still seems to be sort of bleeding >edge. Some scripts work, others don't, it's kind of like russian >roulette. In the meantime I've stuck with Mandrake Control Center ICS >until I get an iptables script ready. >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
