My Favorite ipchains script is the one located within the Trinity OS
Document. It is fairly secure, and heavily commented so that it is easy
to see how each rule contributes to the operation of the firewall.
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
>"Kenneth E. Lussier" wrote:
>
> Greg Kettmann wrote:
> [...snip...}
> > Another truly excellent site is
> > http://linux-firewall-tools.com/ by Bob Ziegler. He literally wrote the book on
> > Linux Firewalls. His site has links to the relevant HOW-TO's plus his own
> > instructions. It also contains a tool to generate the IPCHAINS or IPFWADM scripts
> > needed to start the firewall. There are other excellent sites and resources, as
> > well, but I like this one. GGK
> >
>
> I could not disagree with this more. Rob Ziegler *DID* write a book, and you
> may in fact like his utility. Other than that, I take issue with everything
> else that you said. His book is BAD. It is 100% RedHat-scentric, which is
> problem #1. Given that I was totally annoyed with what I DID read of the book
> and never finished it, I won't comment any further on it. OK, I lied.... It
> also doesn't deal with anything related to encryption. How can you talk about
> firewalls and security and neglect to
> mention encryption?!?
>
> Now, on to his tool..... Sure, it works...Sort of. What it creates is a
> completely bloated script with about 1000 rules that you don't need. Also,
> when you have a default policy of DENY, you do not have to then go ahead and
> specifically deny everything (including subnets that cannot be routed to begin
> with). By putting this much garbage into an ipchains script, you increase the
> chances of making a hole where there shouldn't be. Also, his instructions are
> horrable. You are better off reading the actual Firewall-HOWTO. Not to mention
> the fact that he completely ignores the fact that you may have to patch your
> kernel in order to do certain things.
>
> All in all, I find his tools, his writing, and his claims of expertise to be
> insufficient, inadequate, and detrimental to network security. The argument
> that I hear the most in his defence is "Well, it's good for beginners". My
> answer to that is "*NO IT CERTAINLY IS NOT!!!*. It is NEVER good for a beginer
> to learn the wrong way to do things, and it is never good for a beginner to
> think that the wrong, inadequate, and insecure ways of one person are the
> correct ways. That beginner then has a false sence of knowledge, and thay
> begin to rely on these things rather than ever learn the correct ways. Not to
> mention, when they come to the realization that what they know isn't good
> enough, they have to start all over from the beginning. So, in reality, it is
> *NOT* good for beginners.
>
> Just my NSHO,
> Kenny
>
> --
> Kenny Lussier
> Systems Administrator
> Mission Critical Linux
> ******************************
> If at first you don't succeed,
> destroy all evidence that you
> tried
> ******************************
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
