Gary Hennigan wrote: > > Manegold <[EMAIL PROTECTED]> writes: > > ktb wrote: > > > > > > On Wed, Dec 20, 2000 at 12:02:14AM +0000, Phillip Deackes wrote: > > > > I have spent much of the day getting more and more confused about > > > > firewalls and Linux. I am having a cable modem installed soon and want > > > > my > > > > system to be secure. I have only the one computer, and am running Woody. > > > > > > > > Is there a free (or low-cost) firewall which will work on Debian? I > > > > don't > > > > feel confident enough to be messing with ipchains and such. I had a look > > > > at Storm Firewall, but this is expensive at 99USD and seems way over the > > > > top for what I would need on a single workstation. > > > > > > > > I downloaded gfcc, but don't understand what to do with it. I have read > > > > the Firewall HOWTO but I really don't grasp much of it. I am embarassed > > > > to > > > > admit that I really want an out-of-box solution - something I can > > > > install > > > > and perhaps tweak a little as I get more confident. I don't do anything > > > > out of the ordinary on the Internet, just the usual mail, news and web. > > > > I > > > > occasionally use ReadAudio and ftp, but not a lot else. > > > > > > > > > > > Install something like "pmfirewall" or "seawall." I've used > > > pmfirewall before and it is simple to set up. Basically what > > > these two scripts do is write ipchains rules for you based on > > > some of the questions you answer. I don't have any urls' handy > > > but they should be easy to find. After installing your chains > > > take a look at them and learn from them. One other thing you > > > might think about is getting a cheap or free 486 and make it > > > your firewall. > > > hth, > > > kent > > > > I used pmfirewall too, but the problem with it is, that it only blocks > > certain things it knows about. The default stand is allow (!). In my > > opinion that is not so good. It should be deny unless the port is > > explicitly opened up. I think that this would be possible via a script > > setup too and much better. I don't know "seawall". Maybe that does it > > better. > > However, if you don't want to learn at least something about ipchains > > and some basics about what a firewall can do, then maybe it is ok. But > > then you will not know, how much security you got. > > I think you may be mistaken on this point. The policy PMFirewall > defaults to is ACCEPT but, at least on my installation, the last rule, > in my input chain, is:
Yep the policy is ACCEPT. > target prot opt source destination ports > . > . > . > DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a > > I'm no ipchains expert, but I believe that this rule implies that if > none of the previous rules caused the packet to be accepted it'll be > denied here. I would not call myself an ipchains expert either. I'm still learning that firewall stuff myself. > > Now personally in addition to leaving the rule above as the last one > in my input chain I set the policy to DENY, just as a precaution, > but, I *think*, it's redudant given the rule above. > Well I had someone portscan me from outside and he found a number of ports not blocked, even though I opted to have only SSH open during setup. Don't know why that was, but it's not good. Therefore I went ahead and did a setup with policy on DENY. For learning pmfirewall served me well though. > And of course the nice thing about a script approach like PMFirewall > is that it's easy to modify as you learn more about ipchains. Yes as above, but sometimes it's better to know that you don't have the security of a packet filter than to be mistaken about the level of securtiy you really have. Greetings Thorsten Manegold