Hi,
James escreveu:
Dave Nebinger <dnebinger <at> joat.com> writes:
I think it might be important to point out here how Shorewall
handles/uses these files. I don't use Shorewall, so I can't really
shed light on it. But these config files are really only one side of
the mirror.
Sorry, I HAVE ZERO INTEREST IN A GUI, UNLESS THE RESULTING RULESETS
ARE SIMILAR TO THOSE BUILT MANUALLY with a one-to-one correspondance
to iptables/netfilter.
IMHO shorewall isn't a GUI it's just a script (might be wrong here) with
many config files for many (quite all) possible usages and with a manual
(in pdf & other formats) which is around 500-600 pages.
All the configuration is done by editing files in: /etc/shorewall/...
directory (and they come heavily commented).
...SKIP...
OpenBSD + PF is a piece of cake. OpenBSD comes secure right
out of the box. If the gentoo experts that peruse this list
read this email, surely they can direct one to examples where
the details of secure rulesets exist?
Surely someone is confident enough in their
iptables/netfilter rulesets to publish them?
IMO OpenBSD initial goal was just that - to be very secure even in it's
default install. Haven't seen such claim for Gentoo (plain).
Maybe the linux security models are not up to the task?
SElinux etc....?
Have some experience with Grsec2+PaX and RSBAC (SElinux brother ;)
IMHO they are significantly better than OpenBSD in overall security.
The "new/next" version of OpenBSD will have some sort of protection
against memory overflow attacks (writting this by memory only, might not
be 100% correct) so they are slowing nest release to test this 'new'
feature - which one and others too are already used by Hardened Gentoo.
Check 'Adamantix' - Debian + PaX (memory protection) + RSBAC (DAC).
Example: see 'gibraltar' router/firewall distro - uses RSBAC-kernel.
PF rulessets are quite elaborate, but easily discernable.
You know, 'the rat' culture is questionable, but, he's really quite
talented and reasonable, once you get past the phasic behavior.
OpenBSD comes secure, right out off the installation. Builing a really
secure firewall is trivial. I thought (gentoo)linux was suppose to
be equal to or superior to OpenBSD for security and every other
aspect of computing?
If you have ruleset capabilities, then look at this example,
and tell me what's deficient with it?
http://www.linuxguruz.com/iptables/scripts/rc.DMZ.firewall.txt
It was created for
2.4 based kernels, but this simple website shows one
how to prepare a 2.6 kernel as the basis of the firewall:
http://www.gentoo.org/doc/en/home-router-howto.xml
It is a bit shallow, but at least this author is
not scared of iptables/netfilter fundamentals.
(Booo) <this is where the Gentooers mess their britches?>
The really sad thing in this whole thread, is nobody
has even mentiond which (kernel) sources to use, what
to disable/enable and why. Is this some sort of deep secret
or is the gentoo community un_caring about those who
simply want to learn about iptables/netfilter in a 2.6
kernel environment? Hell, if this list and the greater
gentoo community do not have this aggregated knowledge
then let's develop it and document it and share it.
This is how we, as the open_source community distinguish
ourselves from the Vulture and his menion_buzzards that inhabit
Redmond!
sincerely, from a dreamer and a looser, and an simpleton,
(but, I'm not afraid of any stinking rule_set, are you?)
James
No flames please, just my opinion.
HTH. Rumen
--
[email protected] mailing list
