> Am 2008-01-23 09:19:01, schrieb William Twomey: > > It's my understanding (and experience) that a Debian system by default > > is vulnerable to SYN flooding (at least when running services) and other > > such mischeif. I was curious as to why tcp_syncookies (and similar > > things) are not enabled by default. > > Hmm, in three month I am using Debian GNU/linux since 9 years and was > never synflooded or hacked and currenly I am maintaining a world wide > network of 280 Servers and over 900 Workstations... > > Ind I have services running, but at least only those, which are REALY > required and not more. > > > Many distros (RPM-based mostly from my experience) ask you during the > > install if you'd like to enable firewall protection. I was curious if > > debian was every going to have this as an option? > > Sorry, but Debian is NOT a "install and do not ask questions" distri. > Here, the $USER has the choice of a couple of different firewall > solutions and some $USER may use only an $EDITOR and hack some ipt > lines down. > > > One solution could be to have a folder called /etc/security/iptables > > that contains files that get passed to iptables at startup (in the same > > way /etc/rc2.d gets read in numeric order). So you could have files like > > 22ssh, 23ftp, etc. with iptable rules in each file. You could also have > > an 'ENABLED' variable like some files in /etc/default have (so that > > ports wouldn't be opened by default; the user would have to manually > > enable them for the port to be opened). > > > > Then they'd just run /etc/init.d/iptables restart and the port would be > > opened (flush the rules, reapply). > > Nice idea, but not flexible enough since it CAN conflict with most > firewall solutions. > > > Even a central iptables-save format file that gets passed to iptables at > > startup would be nice. It's easy enough to do manually, but would be > > nice to see integrated with debian itself (packages managing their own > > rules, etc.). > > But for most firewall solutions not usable... > > I have already tried the ipt-save/restor stuff on my routers but it let > me drive crazy... > > > Is debian every going to introduce a better way of having iptables rules > > be run at startup and easily saved/managed, or will this always be a > > manual process? > > I think not. > > Thanks, Greetings and nice Day > Michelle Konzack > Systemadministrator > Tamay Dogan Network > Debian GNU/Linux Consultant > > > --
What about Firestarter? (www.fs-security.com). Is it a good solution to a personal use firewall? -Ferg @ www.FergSoft.com USMC Linux User #463470 at counter.li.org
