On Wed, 17 May 2006 12:46:49 +1200 Volker Kuhlmann wrote: > > > Yes that's all fine, but not the point. The point is, all servers on the > > > internet are reachable *by the orange*, and that's a bad joke. > > > It works on the idea that there are levels of security, and you need > >no special rights to access hosts at a lower level of security than > >yourself. Green >Orange>Red. To the best of my knowledge this is a > >fundamental concept > > Yes, it is, but it's not the only fundamental concept. Others are: don't > allow access unless needed, use more than one line of defense. > > SuSEfirewall takes this as a given, and all this routing stuff is > trivial to configure (no eye candy though). I was expecting as much from > a dedicated firewall, but ipcop is definitely a step down in where it > really matters: the iptables rules. I've been thinking cheekily whether > I can plonk SuSEfirewall on top of ipcop Linux... (SUSE is now > definitely desktop, no way it runs on 32MB). > > Ok I've made a 3x eth[012] ipcop test box and found something to connect > to each end. ipcop gui, firewall->firewall options->disable ping > response: set to no. Bug 1: it never accepts pings from internal, > server, or outside (just logs and dumps). Bug 2: It never forwards > pings from the server to the outside. But the server can connect to any > tcp port outside... and the user setup doesn't allow configuration of > anything but udp or tcp. All nice-looking GUI, but the rules are put > together with an astonishing carelessness! Trust *that*??? Very > disappointing. > > Volker > \
I suggest the ipcop-user or ipcop-devel mailing lists may be better placed to discuss this with you.
