/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
>What do you guys think of this: http://www.nerdherd.net/ipchains/ ?
Wow..
This ruleset looks very similar to TrinityOS in terms of syntax, some
of the explict rulesets, etc. That kinda sucks but its a free world.
Anyway,
- The ruleset does NOT set all the policies up front
- The ruleset ordering is very odd.
- The ruleset sets the INPUT policy to DENY and not REJECT
- The ruleset sets the OUTPUT policy to ACCEPT. Bad.
- The ruleset does not do HIGH PORT SYN checking. Bad.
- The ruleset only covers some explict INPUT traffic types
like SMB, SQL, NFS, X (starts at port 5999?), but not
others
- The ruleset doesn't cover explict traffic types on
the OUTPUT interface. I've definately covered my
butt by using OUPUT ruleset filtering. Namely
remote winsock traffic.
- The ruleset DOES support TOS. Thats cool!
Beyond that.. the ruleset looks decent but it isn't anal. I like
anal rulesets. Your pick. Its definately better than NO rulesets.
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
