On Tue, Sep 29, 2009 at 9:39 PM, Jerry Vonau <jvo...@shaw.ca> wrote: > I've worked up what I think the basic layout of what the firewall rules > need to look like that would be used with nocat's access.fw I've
Hey, that looks good! Haven't tested it either, but it reads logical and right to my eyes. One thing to note is that (if I understand this correctly) the way you are working on it works by allowing/disallowing NAT. So far, so good. If we enable an HTTP proxy, this will require a bit of additional trickery... options I can see 1 - "local" HTTP traffic bypasses the proxy, and we use the 'NoCat' chains to allow/block access to the proxy. This way we can keep the proxy config simple and "unaware" of our access control. 2 - We involve the proxy in our access control. Pain ensues. Gangrene starts to set in, doctor recommends amputation... > I have not tested this yet... (I need sleep now..) Just looking for feed > back at this point. Just wondering since the hood is up, should we be > looking to lock down the services a bit? Yes, that would be a good idea. From a "strictly XS" PoV, I'd say we want - eth0: ssh - lanbond0 / meshbond[0-2]: 8080(registr), 80, ssh, jabber, but but... it would also be nice if the area of the rules defining the services allowed stands out clearly, so a local admin can see where to add a line to open a port, without having to grok our evil scheme. Anyway -- you probably have thought of this and more. Time to get out of your way... m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff _______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
