On Wed, 17 May 2006 15:34:52 +1200 Volker Kuhlmann wrote: > t's part of the fundamental idea of a > firewall to prevent exactly that. Fundamental is that anyone outside can > connect to the server (special situations notwithstanding), but it seems > only Craig and I on this list understand that the reverse is a Bad Idea(TM).
So what sort of server are you wanting to run and where should/shouldn't IPCOP let it connect to? for example a mail server needs to connect to any IP address to deliver to the MX host of adressees emails. Of course if you want to use your ISP as a smart relay you could restrict outgoing smtp transactions to the IP address of your ISP's smtp server. Until they change the IP address, which they can do, as thats what DNS is for. Granted your webserver shouldn't need to *initiate* connections to the world. It appears that different people have different views of what a DMZ (like ipcop's orange zone) should allow. ipcop seems to regard it as a zone that is open to the internet, and is firewalled from the green/internal zone except for a few defined ports. This section of the manual seems to make that clear. http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html#section-dmz-pinholes Others (including Volker) believe that a DMZ should be more actively controlled, including its interactions with the outside world. In fact IPCOP doesn't implement egress [1] filtering at all on the green interface, nor it seems on the orange interface. It is available as an addon. Many people use no more firewall than their adsl/cable modem blocking incoming connections as a result of NAT. Their rooted winboxes are free to phone home or Korea, or the FBI or anywhere they choose. egress filtering is a PITA unless there is a network manager there to open those odd ports (I've lately visited web serbers on port 8080, which isn't as common as it used to be.) To criticise ipcop for lack of egress filtering is a bit steep IMHO. Its not uncommon for firewalls to allow all outgoing traffic. If ipcophasn't gopt the features you want then move on (which it sounds like you have anyway) . Cheers. [1] for various attempts to define "egress" see "A Hat Full of Sky" by T Pratchett -- Nick Rout <[EMAIL PROTECTED]>
