yes, its called gShield.. (http://muse.linuxmafia.org/gshield.html)
you have one config file... you tell it your internet interface (say ppp0 or eth1) and your internal interface (say eth0 for instance) then you scroll down and it has options of YES, NO or FORWARD under ssh say "YES" under everything else, say NO. if you want to use forward to portforward to a port on an internal machine, you say FORWARD and under it goes the internal address to forward to. ITs just a conf file, no confusing code in it.. does lots of other stuff for you as well, including NAT.. piece of cake to set up,, I leave msec alone, load gShield, and then use hosts.deny and hosts.allow to explictly allow anything that needs access. Its worked for me for ages now.. no reason to think it won't for you either. Here are some snippets from the config file (/etc/firewall/gShield.conf) # ------------------------------------------- # # Interfaces # # --------------------------------------------# # Which interface connects you # to the "world"? For PPP users # this should be ppp0 (for example) LOCALIF="ppp0" # Is your ip STATIC or Dynamic? # if you use PPPoE or DHCP, keep # it "NO" -- if it is truly a # static address, set it to YES STATIC="NO" # If this is a multi-homed setup # (i.e., another interace connects # to a local LAN), set MULTI="yes" # below. This adds some logic # to ensure machines on the LAN # can access the firewall even if # they are not listed in NATS # options: YES, NO MULTI="YES" # If the above is yes, set INTIF # below to the interface which # connects the locat net INTIF="eth0" ---------------------------------- # ------------------------------------------- # # If you need gShield to provide NAT services # # (ipmasq of the ipchains era), then set # # NAT = to "YES" below -AND- edit # # /etc/firewall/conf/NATS # # /etc/firewall/conf/NATS needs to have the # # private range you wish to NAT for - the # # default is 192.168.1.0/24 # # ------------------------------------------- # # options: YES, NO NAT="YES" ------------- HERE IS AN EXAMPLE OR TWO OF THE SERVICE SETUP: # ------------------------------------------- # # ---[ Web services ] ----------------------- # # ------------------------------------------- # # HTTP # options are OPEN, FORWARD, NO HTTP_SERVICE="OPEN" HTTP_HOST="192.168.0.1" # HTTPS # options are OPEN, FORWARD, NO HTTPS_SERVICE="NO" HTTPS_HOST="192.168.1.2" See how simple that is.??? all you have to do, is download the tar ball, uncompress it, copy it to /etc/firewall and configure it.. piece of cake.. and very effective. Does a ton of other stuff as well, but you can stick to the basics if you don't need any of it.. rgds Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim C Sent: Saturday, 30 November 2002 10:48 AM To: [EMAIL PROTECTED] Subject: Re: [expert] Shorewall Follies - It's drivin' me NUTS!! Jack Coates wrote: > I know the shorewall question can be resolved, but as KevinO points out > it shouldn't be resolved by someone who's not fully aware of the issues > at stake. > > In the last five days I've gotten nearly a thousand denied attempts to > relay spam mail through my server clogging up my logs right now in I don't have a mail, web or ftp server. I access only through SSH and SFTP. I am single and live with a Creative Writing major who is not a techy. That I know of, there has never been a "snot nosed brat" in my apartment in the 5 years that I have lived here, unless fraternity brothers count and I know that the guys in question are far more interested in hedonism than anything technical. ;-) You've also not considered that as a graduate student, I might literally have more important things to do. Security is on my hit list but unfortunately it is not at the top. Graduation is. ;-) I do use firewalls on my some of my clients that are windows based but the learning curve for linux based firewalls prevents. I tell you what. :-) If it concerns you so much I will be happy to use any configuration you are willing to provide that allows samba on the intranet and blocks it from the internet and also does internet connection sharing and SSH/SFTP. Eventually I would like to use tcp wrappers for this sort of thing, though.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
