Re: Firewall Utilities
On Sat, Nov 15, 2008 at 01:59:43PM -0500, Tom Allison wrote: For about ten years I've been writing my own firewall directives and today I started setting up a new firewall box. For the past year I've been using ipcop, but they have some characteristics that I didn't care for. after this I think I am left with a few options: ferm shorewall arno-iptables-firewall I use shorewall. No GUI. Great doc in shorewall-doc. You can use it for everything from simple to whatever, as your needs change. Config with various simple files in /etc/shorewall/. doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
firehole is great too ! Douglas A. Tutty wrote: On Sat, Nov 15, 2008 at 01:59:43PM -0500, Tom Allison wrote: For about ten years I've been writing my own firewall directives and today I started setting up a new firewall box. For the past year I've been using ipcop, but they have some characteristics that I didn't care for. after this I think I am left with a few options: ferm shorewall arno-iptables-firewall I use shorewall. No GUI. Great doc in shorewall-doc. You can use it for everything from simple to whatever, as your needs change. Config with various simple files in /etc/shorewall/. doug. -- Jerome BENOIT jgmbenoit_at_mailsnare_dot_net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
On Sat, Nov 15, 2008 at 06:56:48PM -0500, Douglas A. Tutty wrote: On Sat, Nov 15, 2008 at 01:59:43PM -0500, Tom Allison wrote: For about ten years I've been writing my own firewall directives and today I started setting up a new firewall box. For the past year I've been using ipcop, but they have some characteristics that I didn't care for. after this I think I am left with a few options: ferm shorewall arno-iptables-firewall I use shorewall. No GUI. Great doc in shorewall-doc. You can use it for everything from simple to whatever, as your needs change. Config with various simple files in /etc/shorewall/. doug. I'm using Shorewall now, just switched over from pure iptables (which was a b*tch to keep up with), do you know of any reliable way to make sure my firewall is working? I'm behind a router so I don't think any of those TCP scanning sites would work. -- Follow my Tweets at http://twitter.com/pobega AIM:BlockMeHarder MSN:[EMAIL PROTECTED] JIM:[EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Firewall Utilities
On Mon, 2008-11-17 at 00:10 +0800, Jerome BENOIT wrote: firehole is great too ! Anyone work with firestarter? Kenward -- In a completely rational society, the best of us would aspire to be _teachers_ and the rest of us would have to settle for something less, because passing civilization along from one generation to the next ought to be the highest honor and the highest responsibility anyone could have. - Lee Iacocca -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
On Sun, 2008-11-16 at 08:52 -0800, Kenward Vaughan wrote: On Mon, 2008-11-17 at 00:10 +0800, Jerome BENOIT wrote: firehole is great too ! Anyone work with firestarter? Sorry about the post... I did not see the originals and had this question in mind at the moment. Now I see I probably should have started a new thread as the OP wasn't even interested in a GUI app. My apologies again! Kenward -- Small is the number of them that see with their own eyes and feel with their own hearts... Albert Einstein -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
Jerome BENOIT wrote: firehole is great too ! Can you elaborate a little bit on pro/cons? Right now I'm trying to get through shorewall docs and it's OK but they could use a better initiation/orientation starting point. I'm only now grasping the different roles that zone/policy/rule play. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
On Sunday 16 November 2008 12:00, Michael Pobega wrote: do you know of any reliable way to make sure my firewall is working? I'm behind a router so I don't think any of those TCP scanning sites would work. nmap from various locations is my general testing proceedure. There might be more aggressive scanners available as well. -- Boyd Stephen Smith Jr. ,= ,-_-. =. [EMAIL PROTECTED] ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.org/ \_/ pgpjPvRFcqckx.pgp Description: PGP signature
Re: Firewall Utilities
On Sun, Nov 16, 2008 at 05:59:50PM -0600, Boyd Stephen Smith Jr. wrote: On Sunday 16 November 2008 12:00, Michael Pobega wrote: Do you know of any reliable way to make sure my firewall is working? I'm behind a router so I don't think any of those TCP scanning sites would work. nmap from various locations is my general testing proceedure. There might be more aggressive scanners available as well. Thank you so much, I was trying to remember nmap's name for the whole day. Would doing it from one laptop to this one over LAN be enough of a check? -- Follow my Tweets at http://twitter.com/pobega AIM:BlockMeHarder MSN:[EMAIL PROTECTED] JIM:[EMAIL PROTECTED] SIP:[EMAIL PROTECTED] ICQ:467047394 signature.asc Description: Digital signature
Re: Firewall Utilities
Michael Pobega wrote: On Sun, Nov 16, 2008 at 05:59:50PM -0600, Boyd Stephen Smith Jr. wrote: On Sunday 16 November 2008 12:00, Michael Pobega wrote: Do you know of any reliable way to make sure my firewall is working? I'm behind a router so I don't think any of those TCP scanning sites would work. nmap from various locations is my general testing proceedure. There might be more aggressive scanners available as well. Thank you so much, I was trying to remember nmap's name for the whole day. Would doing it from one laptop to this one over LAN be enough of a check? One option would be to isolate your firewall from the internet and then: plug in the firewall network port into a switch and scan it from other computers on the switch subnet. plug in the rest of the ports in sequence and scan each of them. Alternativesly, if you have enough ports, plug them all into a switch and just scan them all. It should give you a pretty good idea what your fire wall will respond to. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
Hello List, FireHOL is well documented, it is written in bash, it is intuitive to configure and to maintain, and it comes with options that produce a template for your current box, that allow to check your configuration, and to read the effective iptable. Furthermore, it is maintained, The cons: it is written in bash: no GUI (I do not care because I prefer scripts), and obviously bash must be installed (what is easy to get on a regular box, but not on an embedded box as a router). For further details: firehol.sourceforge.net I use it on my (Debian Lenny) laptop and for a (Debian Etch) cluster (number cruncher). hth, Jerome Tom Allison wrote: Jerome BENOIT wrote: firehole is great too ! Can you elaborate a little bit on pro/cons? Right now I'm trying to get through shorewall docs and it's OK but they could use a better initiation/orientation starting point. I'm only now grasping the different roles that zone/policy/rule play. -- Jerome BENOIT jgmbenoit_at_mailsnare_dot_net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall Utilities
On Sat, 15 Nov 2008 13:59:43 -0500 Tom Allison [EMAIL PROTECTED] wrote: ... I noticed that there are a number of iptable management utilities in the debian arsenal of cool stuff. First - I have no interest in installation of a GUI front end on my firewall. It's a headless box and I want to be able to maintain it as such. This removes some of the firewall utilities because they appear to be GUI tools. after this I think I am left with a few options: ferm shorewall arno-iptables-firewall ... My needs are relatively simple today with options going forward: basic home firewall without a DMZ (this I can do by hand). But I want options for expanding this into a VPN supported firewall with a DMZ, LAN, and respective port forwarding. Even with all of this, I still consider it relatively simple as all traffic is going in/out through the same IP/interfaces and I am not, as yet, using anything like socks authentication. Shorewall. It can do anything, although I only use it for very basic stuff. It is widely used, and it has excellent, comprehensive documentation. I am not an expert, though. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]