| 1 |
On 14/10/13 20:08, Martin Vaeth wrote: |
| 2 |
> William Kenworthy <billk@×××××××××.au> wrote: |
| 3 |
>> |
| 4 |
>> If you are going to go to this bother ... why not use shorewall, create |
| 5 |
> |
| 6 |
> When I checked for scripts creating rules, none fulfilled my needs. |
| 7 |
> (I do not know whether I checked shorewall at this time). |
| 8 |
> For instance, instead of dropping most packets, I want to reject them |
| 9 |
> properly, only with a rate-limit to avoid DOS. Then there is the |
| 10 |
> mentioned port knocking, some forwarding etc. pp. |
| 11 |
> |
| 12 |
>> a custom configuration for each site (including any changes to services) |
| 13 |
>> and and have your script just copy them in and restart the various |
| 14 |
>> services including shorewall? |
| 15 |
> |
| 16 |
> Instead of managing dozens of configurations manually, |
| 17 |
> I think it is easier to have one script which creates an |
| 18 |
> appropriate custom configuration on all my machines, depending |
| 19 |
> on certain files in /etc and other tests. That's why I always |
| 20 |
> run my firewall script on startup (or if I severely change |
| 21 |
> the configuration). |
| 22 |
|
| 23 |
Been there, done that, after the various disasters of editing/sed'iting |
| 24 |
in place config files I took the cowards way out - at least when it all |
| 25 |
goes wrong its now easy to fix, and is a LOT less fragile, especially |
| 26 |
after upgrades :) Its also a lot harder to do once you get to some of |
| 27 |
the weirder environments with conflicting requirements. Keep in mind |
| 28 |
that shorewall or similar wont handle all the parts needed to make this |
| 29 |
work ... vpn's, services etc will need scripting as well, but they |
| 30 |
certainly make the firewall part easier and more secure. |
| 31 |
|
| 32 |
Also, if you are editing iptables scripts yourself have a look at |
| 33 |
shorewall, monmotha or most other "professional" scripts - can you |
| 34 |
guarantee you are covering as many bases as these do? - I always shudder |
| 35 |
when I see someone put together a "few" rules and think its as good as |
| 36 |
something thats stood the test of time and review. Or think of it this |
| 37 |
way, you are using port knocking and trying for extreme "defence in |
| 38 |
depth", but use a home brew firewall ... I dont see anything strange |
| 39 |
about your requirements and think they should be within the capability |
| 40 |
of most firewall setups and a knowledgeable admin. |
| 41 |
|
| 42 |
I totally agree on network manager - its a pita. In this cae its a left |
| 43 |
over from an abortive attempt to like gnome3 ... I am now using LXDE but |
| 44 |
everytime I try and strip more gnome out of the system it either breaks |
| 45 |
or reinstalls the gnomey bits Ive just removed :( |
| 46 |
|
| 47 |
Maybe a reinstall during the Christmas break - prezzies! |
| 48 |
|
| 49 |
BillK |
Archives