On Wed, 2004-04-07 at 12:49, Arlie Capps wrote: > I've set up iptables and ipfilter packet filters. Maybe I just have an > ignorantly high estimation of my own skillz and knowledge, but I'm not sure > I see how much more value these packages add, besides saving the user time > spent learning how to put together a firewall. For some people, that time > saved makes the canned product well worth using of itself. I'm not > disputing that. I would just like to know what the improvement in _quality_ > is when I stop using my handwritten rules and start using (say) shorewall. > What sayst thou, Andrew?
I say that the average iptables newbie doesn't have a clue what to block and what not to and will get upset when their applications (games?) don't work and they have to go googling for hours to find out how to fix it. I can't speak for shorewall, but if it's any good it has options for things like "Allow DirectPlay to this IP" or more importantly "Allow BitTorrent". You want to close down everything at first of course, and that's relatively easy and probably secure, but eventually you want to allow this and that, which is where the difficulty starts. Most newbies will also assume that blocking all incoming is all they need to do, which is almost never true. ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
