Neil Bothwick <neil <at> digimed.co.uk> writes:
> So try out some of the standard configurations in Shorewall. Read the > Shorewall scripts to see what they are trying to do then examine the > iptables rules they create to see how it does it. That gives you exactly > what you were asking for, a set of standard, working iptables rules to > learn from, with no GUI in sight. Shorewall is not an automatic rule > generator like Guarddog, it is more like a compiler, turning your source > rules into iptable rules. OK, good point. But several folks have mentioned that shorewall is not a one-to-one tool for straight iptables/netfilters implementations. It has things that are not part of a raw usage of iptables/netfilters. My goal is to learn as much about iptables/netfilters on a Gentoo X86 firewall, before I plunge into iptables/netfilters on an embedded processor, most likely not x86. > By picking up a bunch of rules from some web site somewhere, you run the > risk of learning from bad rules (like learning HTML by picking apart web > sites). If a well known and well used program like Shorewall generated > bad rules, they'd be picked up immediately. Looking at bad rules, learning why they fail, and watching an attack (either generated by myself or others) with an IDS and other tools running can be an excellent learning experience. I'm not sure I'll have Shorewall running on an embedded platform, nor to I want to generate things on one system and transfer them to a different system(arch) in an embedded enivronment, not just yet. Others have indirectly suggested that Shorewall does not directly generate iptables/netfilters rulesets. I'm looking to get as close to iptables/netfilters as I can, rather than an immediate need to have a robust linux base firewall. So If I use Guarddog or Shorewall to generate rulesets, then I can issue: /etc/init.d/iptables save and look at the rules. Then I can manually adjust the rules at the command line, once again issue '/etc/init.d/iptables save' and look at the rules, make manual(command line) adjustments and continue the learning and testing process? If this is true, then I can use an x86 firewall with Gentoo on it to build and test a firewall and then manually implement the ruleset on an embedded linux project, and similarly test the ruleset (and the security robustness of the embedded linux kernel and the ip stack (note: some of the low level driver code for networking will most likely be 'non standard' code). Is this logical and correct? I do appreciate your input and the input from others. I do apologize if I have offended any, as I do get a little 'wacked' when I'm frustrated. sincerely, James -- [email protected] mailing list
