On 14/10/13 20:08, Martin Vaeth wrote: > William Kenworthy <bi...@iinet.net.au> wrote: >> >> If you are going to go to this bother ... why not use shorewall, create > > When I checked for scripts creating rules, none fulfilled my needs. > (I do not know whether I checked shorewall at this time). > For instance, instead of dropping most packets, I want to reject them > properly, only with a rate-limit to avoid DOS. Then there is the > mentioned port knocking, some forwarding etc. pp. > >> a custom configuration for each site (including any changes to services) >> and and have your script just copy them in and restart the various >> services including shorewall? > > Instead of managing dozens of configurations manually, > I think it is easier to have one script which creates an > appropriate custom configuration on all my machines, depending > on certain files in /etc and other tests. That's why I always > run my firewall script on startup (or if I severely change > the configuration).
Been there, done that, after the various disasters of editing/sed'iting in place config files I took the cowards way out - at least when it all goes wrong its now easy to fix, and is a LOT less fragile, especially after upgrades :) Its also a lot harder to do once you get to some of the weirder environments with conflicting requirements. Keep in mind that shorewall or similar wont handle all the parts needed to make this work ... vpn's, services etc will need scripting as well, but they certainly make the firewall part easier and more secure. Also, if you are editing iptables scripts yourself have a look at shorewall, monmotha or most other "professional" scripts - can you guarantee you are covering as many bases as these do? - I always shudder when I see someone put together a "few" rules and think its as good as something thats stood the test of time and review. Or think of it this way, you are using port knocking and trying for extreme "defence in depth", but use a home brew firewall ... I dont see anything strange about your requirements and think they should be within the capability of most firewall setups and a knowledgeable admin. I totally agree on network manager - its a pita. In this cae its a left over from an abortive attempt to like gnome3 ... I am now using LXDE but everytime I try and strip more gnome out of the system it either breaks or reinstalls the gnomey bits Ive just removed :( Maybe a reinstall during the Christmas break - prezzies! BillK
