On Fri, 2011-02-18 at 20:25 -0600, Paul Boniol wrote: > Also, I was brought up custom coding an ipchains script (which I > directly translated to iptables) to specify as exactly as possible > what source/destination/ports were allowed in and out, and deny all > other traffic. A lot of distros have pre-configured firewalls now. > iptables has a lot of advancements that would probably make things > shorter, but I haven't looked at the default firewall or changing my > script much because my old script still works fine and is very secure. > Are the default firewalls good (with customizations) or are they just > good enough effort until you can get a custom written firewall in > place?
No, they're pretty much "good enough" since they're all frontends to iptables. The one not-so-trivial issue with any of them (and it's not even their fault) is still the way the kernel handles ARP and that requires a kernel patch. You basically just need the default drop rule, a bit of shell script to load all the ipt_ modules (just in case), a catch-all for -state ESTABLISHED,RELATED, and then the few odd -state NEW holes for each service you actually want the box to serve. Tarpitting the Chinese off of your sshd is only a matter of five or six slightly esoteric lines. Things have come a looong way since ipchains, man. > Debian - I tried it, very roughly around 2002. I had trouble > remembering how to use it's (text based) package management (and > getting out of trouble if I pressed the wrong key) so I went back to a > RPM distro. It's been supplanted by Ubuntu, which is "Debian for people who can't be arsed". > Ubuntu - I haven't used it much recently so it may have improved, but > I got very tired of having to put in my password every time I switched > administrative applications. 1. That's not specifically an Ubuntu thing. 2. I think pretty much everyone's (including Ubuntu) PAM config now caches that you auth'd up for about five minutes, so you don't have to keep retyping it. -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
