> So what sort of server are you wanting to run and where should/shouldn't > IPCOP let it connect to? > > for example a mail server needs to connect to any IP address to deliver > to the MX host of adressees emails.
Usual rule: if you're not using it, shut it down and/or don't let it in. That's for setting up servers. You reflect that again on the firewall looking at the server. SMTP or whatnot, same rule. Sorry, I assumed that was common sense. > Of course if you want to use your ISP as a smart relay you could > restrict outgoing smtp transactions to the IP address of your ISP's smtp > server. Good move! > Until they change the IP address, which they can do, as thats > what DNS is for. If you can specify the ISP's SMTP relay by name, fine, but it's not commonly possible with iptables. Additional problem: at the time that rule goes in, the rules for DNS lookups have to be already in place, which isn't the case if you use bulk commit (advisable), and in any case is difficult to achieve. One could periodically check up on the IPs automatically... so far I've seen nothing that can do that though. Of course, for LAN workstations any sort of outgoing filtering is a PITA, so at home I wouldn't bother. Other places may have different policies. > addon. Many people use no more firewall than their adsl/cable modem > blocking incoming connections as a result of NAT. True, for those ipcop is almost already overkill. ipcop is very good if there isn't a DMZ! With a DMZ the field gets thin. > To criticise ipcop for lack of egress filtering is a bit steep IMHO. On the green, no problem. All commercial routers can do it on the orange, as can pfsense and endian, but not smoothwall in the free GPL lite version. > If ipcophasn't > gopt the features you want then move on (which it sounds like you have > anyway) . No decision yet - been looking around. I was mainly interested in what the options are for mini-server setups, but I need a new firewall for home as well. Btw pfsense: wenn it does something, it does it in kitchen-sink fashion. Interfaces can be fully assigned to cards in the browser. Rule entering is messy and takes a long time, not well layed out, but supports labelling. It's also unclear what things are for in places. After the "save rules" it also has an "apply rules". No proxies (yet). Traffic shaping between any two(!) interfaces. Some load balancing functions, a few other things aimed more at bigger networks. The CD can be run as live CD! (save your config before rebooting) or be installed. BSD based. Sophisticated when it does something, though user interface design is not outstanding. Requires javascript, skins, the default skin doesn't work with konqueror. Clarkconnect and smoothwall don't support DMZ in the non-commercial versions. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
