1 |
On 14/10/13 20:08, Martin Vaeth wrote: |
2 |
> William Kenworthy <billk@×××××××××.au> wrote: |
3 |
>> |
4 |
>> If you are going to go to this bother ... why not use shorewall, create |
5 |
> |
6 |
> When I checked for scripts creating rules, none fulfilled my needs. |
7 |
> (I do not know whether I checked shorewall at this time). |
8 |
> For instance, instead of dropping most packets, I want to reject them |
9 |
> properly, only with a rate-limit to avoid DOS. Then there is the |
10 |
> mentioned port knocking, some forwarding etc. pp. |
11 |
> |
12 |
>> a custom configuration for each site (including any changes to services) |
13 |
>> and and have your script just copy them in and restart the various |
14 |
>> services including shorewall? |
15 |
> |
16 |
> Instead of managing dozens of configurations manually, |
17 |
> I think it is easier to have one script which creates an |
18 |
> appropriate custom configuration on all my machines, depending |
19 |
> on certain files in /etc and other tests. That's why I always |
20 |
> run my firewall script on startup (or if I severely change |
21 |
> the configuration). |
22 |
|
23 |
Been there, done that, after the various disasters of editing/sed'iting |
24 |
in place config files I took the cowards way out - at least when it all |
25 |
goes wrong its now easy to fix, and is a LOT less fragile, especially |
26 |
after upgrades :) Its also a lot harder to do once you get to some of |
27 |
the weirder environments with conflicting requirements. Keep in mind |
28 |
that shorewall or similar wont handle all the parts needed to make this |
29 |
work ... vpn's, services etc will need scripting as well, but they |
30 |
certainly make the firewall part easier and more secure. |
31 |
|
32 |
Also, if you are editing iptables scripts yourself have a look at |
33 |
shorewall, monmotha or most other "professional" scripts - can you |
34 |
guarantee you are covering as many bases as these do? - I always shudder |
35 |
when I see someone put together a "few" rules and think its as good as |
36 |
something thats stood the test of time and review. Or think of it this |
37 |
way, you are using port knocking and trying for extreme "defence in |
38 |
depth", but use a home brew firewall ... I dont see anything strange |
39 |
about your requirements and think they should be within the capability |
40 |
of most firewall setups and a knowledgeable admin. |
41 |
|
42 |
I totally agree on network manager - its a pita. In this cae its a left |
43 |
over from an abortive attempt to like gnome3 ... I am now using LXDE but |
44 |
everytime I try and strip more gnome out of the system it either breaks |
45 |
or reinstalls the gnomey bits Ive just removed :( |
46 |
|
47 |
Maybe a reinstall during the Christmas break - prezzies! |
48 |
|
49 |
BillK |