Hi Tom & list, > If you understand enough to create your own secure firewall > using iptables, > then I'm amazed that you feel the need to post on a mailing > list to learn > how to omit one small package (Shorewall) from a simple > floppy-based Linux > distribution (Bering). Nevertheless, I offer my (tongue in > cheek) help:
I read somewhere that Shorewall was not capable of being removed from Bering. Unfortunately I couldn't locate this post in a quick few minutes. I checked the Bering documentation and didn't find a reference, therefore I'm pretty sure this was found through Google (archive of this mailing list?). I hope knowing what was on my mind re:shorewall package you understand where I was coming from a little more. > a) Remove the shorewall package from syslinux.cfg > b) Remove shorwall.lrp from your floppy/CF/IDE image. > c) Develop your own .lrp package that is secure and easy to > configure in > the face of changing firewalling/gateway requirements. I am thinking of using an lrp located at http://leaf.sourceforge.net/devel/jnilo/bering/latest/contrib/; the iptables save & restore functionality. Does anyone know if this lrp provides an init.d startup of old iptables rules? If it doesn't I would imagine I'll have to create a seperate "iptstart.lrp" or something similar. > If you think that the above two steps are trivial, browse the > LEAF and > Shorewall list archives. I am in process of creating/submitting a package that provides VRRP functionality for LRP called Keepalived (http://www.keepalived.org/), so yes I know lrp's aren't easy. I'm sure Shorewall is great for most people, but I'm looking for something to use in BGP linux routers booting off of CF-IDE/flash media. > h) Submit your package to 1000s of people on the internet > over a period of > 12 to 18 months to validate its flexibility, usability and security. > i) Use what you learn in that 12 to 18 month period to > improve your package > to make it more flexible, easier to use and more secure. I'll submit what I have when I have completed it. If people find it useful and have suggestions I'll try to help in whatever way I can. It would be nice to have such fame that 1000's of people would download it but I bet the only one that downloads it is me and a few other linux flash router people. ;) > You're right -- it is so simple that I can't understand why anyone > struggles "with learning shorewall on these systems"... :-) Lol. Well it is very important for my company to use existing setups & concepts where possible. I looked at Shorewall and it doesn't seem to offer any significant advantage for my company other than being pre-integrated into LRP. Why should I learn a new firewall system if we already have iptables working and "under the belt"? More importantly why should I create documentation for the rest of the people here and then force them to learn this system? It seems that in my case Shorewall is a program that introduces a very good potential for human error and adds complexity to a project that doesn't need more complexity. In this project KISS is my motto. Again, we're talking about in my case only. I'm sure 99.9999% of the people are different and Shorewall is good for them. Thank you very much for your response & time! Peter ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html