Dave Nebinger <dnebinger <at> joat.com> writes:
> > I think it might be important to point out here how Shorewall > > handles/uses these files. I don't use Shorewall, so I can't really > > shed light on it. But these config files are really only one side of > > the mirror. Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance to iptables/netfilter. > Actually these files are typically the only ones you'll need to edit... I have a very robust OpenBSD based firewall. I'm not looking for advice on building firewalls as a newbie. I'm looking for somebody that knows IPTABLES/NETFILTER, preferable on Gentoo, and is willing to share a little information. I'm in the process of building a gentoo based firewall to compare the robustness against OpenBSD + pf. The really funny thing is a year ago, this list was full of persons that debunked OpenBSD's security supremacy. Now all I'm getting is a lot of 'hot air' and 'bull-loney'. Why are so many people scared to manage there own firewall rulesets directly? Personally, when the occasional hacker does manage to penetrate a managerie of obsticles, I like to watch what they do, and learn. Besides the end result is there is nothing in my networks that if destroyed, cannot be rebuilt. Anything of treasure value is protected by a 4 foot air_gap. I guess I see talented penetration specialists more as kindred spirits, as opposed to evil interlopers. This FEAR of managing your own iptables/netfilters rulesets is not healthly. Who the F*** wants to live life afraid? Conquer your demons face to face, unless there really is truth to what the OpenBSD community says about linux, 'linux based security is bullshit'. Prove me wrong; don't hijack the thread! OpenBSD + PF is a piece of cake. OpenBSD comes secure right out of the box. If the gentoo experts that peruse this list read this email, surely they can direct one to examples where the details of secure rulesets exist? Surely someone is confident enough in their iptables/netfilter rulesets to publish them? Maybe the linux security models are not up to the task? SElinux etc....? PF rulessets are quite elaborate, but easily discernable. You know, 'the rat' culture is questionable, but, he's really quite talented and reasonable, once you get past the phasic behavior. OpenBSD comes secure, right out off the installation. Builing a really secure firewall is trivial. I thought (gentoo)linux was suppose to be equal to or superior to OpenBSD for security and every other aspect of computing? If you have ruleset capabilities, then look at this example, and tell me what's deficient with it? http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt It was created for 2.4 based kernels, but this simple website shows one how to prepare a 2.6 kernel as the basis of the firewall: http://www.gentoo.org/doc/en/home-router-howto.xml It is a bit shallow, but at least this author is not scared of iptables/netfilter fundamentals. (Booo) <this is where the Gentooers mess their britches?> The really sad thing in this whole thread, is nobody has even mentiond which (kernel) sources to use, what to disable/enable and why. Is this some sort of deep secret or is the gentoo community un_caring about those who simply want to learn about iptables/netfilter in a 2.6 kernel environment? Hell, if this list and the greater gentoo community do not have this aggregated knowledge then let's develop it and document it and share it. This is how we, as the open_source community distinguish ourselves from the Vulture and his menion_buzzards that inhabit Redmond! sincerely, from a dreamer and a looser, and an simpleton, (but, I'm not afraid of any stinking rule_set, are you?) James -- gentoo-user@gentoo.org mailing list