/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Thanks for the "review,"
It is _very_ much appreciated -- I'm slowly gaining knowledge on IP CHAINS
and my end goal is to be able to successfully set up a _very_ secure server
just to say I did [and of course keep my LAN safe].
Also, are you implying the rules in TrinityOS are very, anal if you will?
How would you deem security using the IP CHAINS rules in your TrinityOS?
Looks like the guy didn't steal enough from you to make his script
worthwhile. ;-) BTW, where did the name TrinityOS come from?
Also, another quick question. I heard that the next release of Red Hat will
not use IP CHAINS anymore but something else. Can you confirm or deny this
rumor?
Thanks again for your help -- it is appreciated very much.
Pankaj Arora
http://www.paware.com/
----- Original Message -----
From: David A. Ranch <[EMAIL PROTECTED]>
To: Pankaj Arora <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, September 12, 1999 2:55 PM
Subject: Re: [Masq] IP MASQ Script
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
*/
>
>
>
> >What do you guys think of this: http://www.nerdherd.net/ipchains/ ?
>
> Wow..
>
> This ruleset looks very similar to TrinityOS in terms of syntax, some
> of the explict rulesets, etc. That kinda sucks but its a free world.
> Anyway,
>
> - The ruleset does NOT set all the policies up front
> - The ruleset ordering is very odd.
>
> - The ruleset sets the INPUT policy to DENY and not REJECT
> - The ruleset sets the OUTPUT policy to ACCEPT. Bad.
>
> - The ruleset does not do HIGH PORT SYN checking. Bad.
>
> - The ruleset only covers some explict INPUT traffic types
> like SMB, SQL, NFS, X (starts at port 5999?), but not
> others
>
> - The ruleset doesn't cover explict traffic types on
> the OUTPUT interface. I've definately covered my
> butt by using OUPUT ruleset filtering. Namely
> remote winsock traffic.
>
> - The ruleset DOES support TOS. Thats cool!
>
>
> Beyond that.. the ruleset looks decent but it isn't anal. I like
> anal rulesets. Your pick. Its definately better than NO rulesets.
>
> --David
>
>
>
.---------------------------------------------------------------------------
-.
> | David A. Ranch - Linux/Networking/PC hardware
[EMAIL PROTECTED] |
>
----!
> `----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
