> > Yes that's all fine, but not the point. The point is, all servers on the > > internet are reachable *by the orange*, and that's a bad joke.
> It works on the idea that there are levels of security, and you need >no special rights to access hosts at a lower level of security than >yourself. Green >Orange>Red. To the best of my knowledge this is a >fundamental concept Yes, it is, but it's not the only fundamental concept. Others are: don't allow access unless needed, use more than one line of defense. SuSEfirewall takes this as a given, and all this routing stuff is trivial to configure (no eye candy though). I was expecting as much from a dedicated firewall, but ipcop is definitely a step down in where it really matters: the iptables rules. I've been thinking cheekily whether I can plonk SuSEfirewall on top of ipcop Linux... (SUSE is now definitely desktop, no way it runs on 32MB). Ok I've made a 3x eth[012] ipcop test box and found something to connect to each end. ipcop gui, firewall->firewall options->disable ping response: set to no. Bug 1: it never accepts pings from internal, server, or outside (just logs and dumps). Bug 2: It never forwards pings from the server to the outside. But the server can connect to any tcp port outside... and the user setup doesn't allow configuration of anything but udp or tcp. All nice-looking GUI, but the rules are put together with an astonishing carelessness! Trust *that*??? Very disappointing. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
