Mark;
Thank-you for not overstating the obvious! However, as I had mentioned in my initial post, it was my opinion, not the opinion of all users of PMFirewall. That having been repeated now, I'd like to point out that ipchains takes only 3 lines of text ( at least for the networks that I maintain ), to protect the average network (I know, I know, here comes the flames again! ), whereas there are several configurations to be done with PMfirewall. My opinions are, of course, based on my
experiences, and as such
I have no compunctions about "sticking to my guns". I should point out that until about 4 weeks ago, I thought PMfirewall was the "best-built mousetrap", when it comes to firewall programs, and that I rarely used ipchains directly. However, after our LUG ( Linux Users Group ) ran some tests on several networks, we found quite a few ports open on what was supposed to be secure systems, and that in each case, PMfirewall was the culprit! As outraged as the proponents of PMfirewall may be to hear this, it is the truth. I went through all the inetd
files/folders to find the services which were causing
the problems, and one of the guilty parties was PMfirewall. After uninstalling it, and running a manual configuration of ipchains, ALL the
previously open/filtered
ports were not just in "Stealth" mode, but totally
closed down, as in undetectable
by port scanners, period. I have no doubt that others may
find PMfirewall to run
better than I did, but if in fact it needs additional
configuration after the initial
install and configuration, why doesn't it say so? The initial install/setup/config walks
the user thru each item step-by-step, and
offers to close specific ports, and any other ports you
desire. Is it safe to assume
therefore that if I chose to close ALL ports, that they would be closed, or not? One thing you may or may not know Mark, is that PMfirewall closes some ports, but "Filters" other ports. That means that a good hacker can find his way thru them suckers and still cause some damage. I don't know about you, but I'm not prepared to take that chance. At least not with my clients' networks. I can't afford to. And I'm not the only one. The guys in
my LUG handle network
security and administration for large companies, and they
aren't prepared to take
chances either!
If PMfirewall is only going to "Filter"
ports ( ie: Ports # 139, 443, 631, etc,..) It's
not good enough. The fact that it doesn't tell you this
during the configuration, is also
misleading. And you're right Mark,...It's not a Windows Program, It's a Linux/Unix program. By default, it should therefore be a MUCH BETTER
program !!! I'm a
rock-solid believer in this stuff (fanatical, you might
say!). I'm promoting Linux
every which-way that I can. But for the new user,
depending on PMfirewall to
protect their PC or network would seem to be foolhardy at
best. It shouldn't filter ports,
it should take them out of existence! Since, as you
mentioned, PMfirewall uses ipchains,
doesn't it make more sense to "Go to the Source" and just
use ipchains?? Anyway,
enough said. A word of advice though,...never offer an
opinion to this group when you're
trying to quit smoking! I should've known
better!
Dan LaBine
Registered Linux User #190712 |
- Re: [newbie] PMFirewall and IPchains Dan LaBine
- Re: [newbie] PMFirewall and IPchains Mark Weaver
- Re: [newbie] PMFirewall and IPchains Tom Brinkman
- Re: [newbie] PMFirewall and IPchains Mark Weaver
- Re: [newbie] PMFirewall and IPchains Dan LaBine
- Re: [newbie] PMFirewall and IPchains Peter Smith
- Re: [newbie] PMFirewall and IPchain... Dan LaBine
- Re: [newbie] PMFirewall and IPc... Dan LaBine
- Re: [newbie] PMFirewall and IPchain... Mark Weaver
- RE: [newbie] PMFirewall and IPchains Franki
- Re: [newbie] PMFirewall and IPchains Paul R