On Fri, 2003-09-05 at 02:03, Frank Griffin wrote: > J.A. Magallon wrote: > > >I think shorewall does something strange on update. I had shorewall installed > >on a box, but not active. After an update with urpmi, the updated package > >auto activated itself > > > Shorewall has become a major pain since sometime in the 8.2 - 9.0 > timeframe when somebody decided to make the default setting "pass > absolutely nothing". Before that, I used to install and enable it just > to see whether my firewall was doing a good job. Since then, I install > it, but disable it, because I'm not willing to do the work to > re-research which ports ought to be open and which oughtn't. > > It's interesting that when you use the MDK configuration tool for > Shorewall and select "pass everything", MDK disables Shorewall > completely. You can see this by selecting Shorewall during install and > then selecting "pass everything" during Summary configuration. When you > get back to Summary, you'll see "Firewall disabled", and the > drakservices menu will show Shorewall with the "Start on Boot" checkbox > unchecked. > > Frankly, if I want a firewall, then I want it configured with some > intelligent choices which I can use as a base from which to work. I > don't want to have to redo the research the authors did just to figure > out what can be safely re-enabled. > > Just FYI, I've always used Standard security level, both before and > after Shorewall became unusable out-of-the-box.
Block everything is just about the most sensible default I can think of, given that there's no port that all or even most users will want open. -- adamw
