On 8 Feb 2002 01:51 PM, martin f krafft wrote: >> I also experimented with FWBuilder [http://www.fwbuilder.org] >> which is available directly as a .deb package. While it looks >> very capable, I'd essentially have to design the firewall from >> scratch. Since I might miss something, I've ruled this out.
> nah, build your firewall from scratch! it's good practice and > a requirement, or else you won't understand your firewall, and > an admin who doesn't understand the firewall might also just > not need a firewall. Well, ideally I would understand everything about my firewall, yes. And writing the script would certainly result in my knowing exactly what it does. That having been said, I don't want to have the network in a state of disarray, with some things working and others not, while I try to figure out how things work. This is what I already have with ipchains now, namely, file transfers/direct connections don't work (DCC, ICQ, etc). I guess the better option is to start from scratch, and I will try that. But then I run into this problem: I've gleaned a lot of helpful responses off this list, but I'm still wary of posting my exact ipchains or iptables ruleset in its entirely for anyone with a browser or mail client to examine for correctness. Being the ultraconservative paranoid type, I think that seems tantamount to inviting an unfriendly to come along and poke holes in it. I *wouldn't* mind intrusion testing, but only by trustworthy folks. ;) Last but not least, it's difficult to gauge my success (or failure) because I can't use a machine *outside* the firewall to run nmap against this setup. Yes, I do have another system with Linux, but it's not located right next to this one, where I could immediately make changes and observe results. Perhaps in the near future I can run a dial-up for that purpose, though. Jeff Bonner
