On Wed, 17 May 2006 12:46:49 +1200 Volker Kuhlmann <[EMAIL PROTECTED]> wrote:
> > > Yes that's all fine, but not the point. The point is, all servers on the > > > internet are reachable *by the orange*, and that's a bad joke. > > > It works on the idea that there are levels of security, and you need > >no special rights to access hosts at a lower level of security than > >yourself. Green >Orange>Red. To the best of my knowledge this is a > >fundamental concept > > Yes, it is, but it's not the only fundamental concept. Others are: don't > allow access unless needed, use more than one line of defense. > > SuSEfirewall takes this as a given, and all this routing stuff is > trivial to configure (no eye candy though). I was expecting as much from > a dedicated firewall, but ipcop is definitely a step down in where it > really matters: the iptables rules. I've been thinking cheekily whether > I can plonk SuSEfirewall on top of ipcop Linux... (SUSE is now > definitely desktop, no way it runs on 32MB). > > Ok I've made a 3x eth[012] ipcop test box and found something to connect > to each end. ipcop gui, firewall->firewall options->disable ping > response: set to no. Bug 1: it never accepts pings from internal,server, or outside (just logs and dumps). Wrong. PING 192.168.3.5 (192.168.3.5) 56(84) bytes of data. 64 bytes from 192.168.3.5: icmp_seq=1 ttl=127 time=0.502 ms 64 bytes from 192.168.3.5: icmp_seq=2 ttl=127 time=0.455 ms 64 bytes from 192.168.3.5: icmp_seq=3 ttl=127 time=0.439 ms Bug 2: It never forwards pings from the server to the outside. Wrong. [EMAIL PROTECTED]:~# ping www.google.com PING www.l.google.com (66.102.7.147) 56(84) bytes of data. 64 bytes from 66.102.7.147: icmp_seq=1 ttl=239 time=169 ms 64 bytes from 66.102.7.147: icmp_seq=2 ttl=239 time=169 ms But the server can connect to any > tcp port outside... and the user setup doesn't allow configuration of > anything but udp or tcp. Wrong. GRE DEFAULT IP : GRE => 192.168.xxx.yyy : GRE VPN > All nice-looking GUI, but the rules are put > together with an astonishing carelessness! Trust *that*??? Very > disappointing. > > Volker > > -- > Volker Kuhlmann is list0570 with the domain in header > http://volker.dnsalias.net/ Please do not CC list postings to me. Sorry Volker, you're just plain wrong on most of your points. Are you using the current version? It's at 1.4.10. And yes, I do trust it. No, I'm not disappointed. You're welcome to try and break in any time. Steve
