Just a thought: http://www.fwbuilder.org/
I like how it looks "a lot" like checkpoint's policy manager. HTH, Hazen. On Fri, Apr 24, 2009 at 1:00 PM, Chris Frederick <cdf...@cdf123.net> wrote: > Marco wrote: > > Hi all, > > > > I set up my first firewall on my notebook (not running any services > > reachable from outside) using iptables. Since I am new to the topic, > > could you please verify if the output of 'iptables -L -v' is > > considered to be a safe firewall? Thanks! > > > > Hi Marco, > > Your firewall looks good, but I would change a few things. > > First off, change your FORWARD chain to DROP. Unless you are doing > routing on your laptop, there's no reason to have it. > > I would also get rid of the REJECT targets. It's better to DROP > instead. If someone is scanning the network, and you start sending icmp > rejections back, they will know you are there and may try other > techniques to break through your defenses, but if you DROP and send > nothing back, it will be much harder for them to see you at all. > > I would also re-write your INPUT chain to be a bit less verbose. > Something like this: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > target prot opt in out source destination > ACCEPT all -- lo any anywhere anywhere > ACCEPT all -- any any anywhere anywhere state > RELATED,ESTABLISHED > LOG all -- any any anywhere anywhere LOG level warning > prefix `INPUT ' > > Everything else looks good from a security standpoint. From a > performance standpoint, you might want to add a line to the beginning of > your output chain like this: > > Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) > target prot opt in out source destination > ACCEPT all -- any lo anywhere anywhere > ACCEPT all -- any any anywhere anywhere state > RELATED,ESTABLISHED > LOG all -- any any anywhere anywhere LOG level warning > prefix `OUTPUT ' > > This will log only NEW packets. Otherwise you could end up with a lot > of log output. > > After you run this for a while, go back and look through your logs and > see if you have enough data there to change your OUTPUT chain to DROP, > and only allow packets through to ports you actually use. That's only > if you're really paranoid though. > > Hope that helps. > > Chris > > -- Hazen Valliant-Saunders IT/IS Consultant (613) 355-5977