-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Ciger wrote: > J.A. Magallon wrote: > |>I guess it depends upon what you're doing. In my case, the default > |>settings blocked traffic to my gateway, both in and out, and effectively > |>shut down the network. > |> > | > | > | I really find more useful a combination of a 5 line iptables > | script to do plain forwarding and portsentry. I do not know why > portsentry > | was killed from the distro. > | > | So you could separate 'security' from 'internet sharing'. > > This has nothing to do with internet sharing, this problem happened to > me too - shorewall disables also *outgoing* connections from your > machine by default. Blocking all incoming things is OK, but outgoing ? > That's a bit of an overkill. > > In a standard msec level, it should just block incoming connections, > maybe with the exception of ssh port and allow all outgoing ones, so > that you could get a decent configuration out of the box. On higher > levels, let's lock down everything, the admin should know what to do to > enable it again and a clueless idiot will not put up an unprotected server.
And fixing it is trivial if you know how, just modify the policy file. IMHO, the default policy should be as near to that the user would want as possible, thus: wan all DROP fw masq DENY fw wan ACCEPT masq fw ACCEPT info masq wan ACCEPT all all REJECT Of course, current drakfirewall doesn't have support for customised rules, so at present if you enable ssh, it's all or nothing :-(. But with a default policy in place, it is actually very easy to customise further (if drakfirewall would use 'default/accept/deny', instead of a checkbox), since doing nothing about ssh will allow from masq only, DENY'ing it will not allow any access, and ACCEPT'ing it should enable traffic from outside ... Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/WMy8rJK6UGDSBKcRAoGoAKDCl9aXmqRpCcHTRSbDXj4fADm40ACeO+Y3 oEgCZ4adX72DcNvlYG5GXBA= =ENGS -----END PGP SIGNATURE----- ***************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. *****************************************************************
