Mark;
Thank-you for not overstating the obvious! However, as I had mentioned
in my initial post, it was my opinion, not the opinion of all users of
PMFirewall. That having been repeated now, I'd like to point out that
ipchains takes only 3 lines of text ( at least for the networks that I
maintain ), to protect the average network (I know, I know, here comes the
flames again! ), whereas there are several configurations to be done with
PMfirewall. My opinions are, of course, based on my experiences, and as such
I have no compunctions about "sticking to my guns". I should point out that
until about 4 weeks ago, I thought PMfirewall was the "best-built mousetrap",
when it comes to firewall programs, and that I rarely used ipchains directly.
However, after our LUG ( Linux Users Group ) ran some tests on several
networks, we found quite a few ports open on what was supposed to be secure
systems, and that in each case, PMfirewall was the culprit! As outraged as
the proponents of PMfirewall may be to hear this, it is the truth. I went
through all the inetd files/folders to find the services which were causing
the problems, and one of the guilty parties was PMfirewall. After
uninstalling it, and running a manual configuration of ipchains, ALL the
previously open ports were not just in "Stealth" mode (Can You say
Filtered??), but totally closed down, as in undetectable by port scanners,
period. I have no doubt that others may find PMfirewall to run better than I
did, but if in fact it needs additional configuration after the initial
install and configuration, why doesn't it say so? The initial
install/setup/config walks the user thru each item step-by-step, and offers
to close specific ports, and any other ports you desire. Is it safe to assume
therefore that if I chose to close ALL ports, that they would be closed, or
not? One thing you may or may not know Mark, is that PMfirewall closes some
ports, but "Filters" other ports. That means that a good hacker can find his
way thru them suckers and still cause some damage. I don't know about you,
but I'm not prepared to take that chance. At least not with my clients'
networks. I can't afford to. And I'm not the only one. The guys in my LUG
handle network security and administration for large companies, and they
aren't prepared to take chances either! If PMfirewall is only going to
"Filter" ports ( ie: Ports # 139, 443, 631, etc,..) It's not good enough. The
fact that it doesn't tell you this during the configuration, is also
misleading. And you're right Mark,...It's not a Windows Program, It's a
Linux/Unix program. By default, it should therefore be a MUCH BETTER
program !!! I'm a rock-solid believer in this stuff (fanatical, you might
say!). I'm promoting Linux every which-way that I can. But for the new user,
depending on PMfirewall to protect their PC or network would seem to be
foolhardy at best. It shouldn't filter ports, it should take them out of
existence! Since, as you mentioned, PMfirewall uses ipchains, doesn't it make
more sense to "Go to the Source" and just use ipchains?? Anyway, enough said.
Word of advice,...never offer an opinion to this group when you're trying to
quit smoking! I should've known better!
--
Dan LaBine
Registered Linux User #190712