Michael W. Holdeman <lists <at> ptfd.org> writes:
www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12#doc_chap1
> Your response is very helpfull. I was thinking about squid, fwbuilder to get
> the base up and going. I will read more, as for some reason I was under the
> impression I could use fwbuilder and then add more using raw ipfilters as I
> learned more.
Yes let me know how it works out using fwbuilder for a default set
of rules. I think fwbuilder will embed some additional shell code
into the startup script. Keep me posted on how this approach works out.
If directly edit /etc/init.d/iptables/firewall.sh with vi,
it will give you a minimal template:
!/sbin/runscript
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}
Also look at these pages pages for general help:
gentoo-wiki.com/HOWTO_Iptables_for_newbies#Another_iptables_startup_script
www.gentoo.org/doc/en/home-router-howto.xml
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#PREPARATIONS
http://forums.gentoo.org/viewtopic-p-1436652-highlight-iptables+
rulesets.html?sid=b777f7a8f3ef392e9cb4d14f0bcccfa1#1436652
> I have used DansGuardian and squid in teh past for content
> filtering and was happy with the way that worked, so this would just add to
> the knowledge and ops I need for that type of implementation.
OK, I'll look into DansGuardian. Maybe we should put together a web page
that deails a (3) nic setup, either dhcp or single static ip
the the net, a DMZ for unrestricted access, and optional web server,
DNS server(s), email server and an internal LAN?
iptables + ALG (DansGaurdian +squid) as the foundation, because I'm
sure there are hundreds if not thousands of folks that could use this
guide. Particularly if were Gentoo specific and had serveral
iptables templates to choose from, where the DMZ
and it's various services can be provide via outside (ISP)services
or migrated internally via your own Gentoo servers.
Any interest in sharing your solutions with a wider audience?
> Thanks again for your help, I am sure I will have more ?'s
> Mike
Yea, I have young kids too, and for now, I rarely let them on the net,
because they are young, and I think math & programming skills should
come before exploring via tcp/ip. (does assembler seem harsh?)
However, the day is fast approaching that I will need to build a
a monitoring and control system to restict access to adult materials,
and monitor the activities that are a result of those
puberty based hormones
Don't hesitate to ask, publically or privately.
James
--
[email protected] mailing list
