From: Niall O Broin (niall at domain magicgoeshere.com)
Date: Fri 28 Jul 2000 - 12:12:14 IST
On Fri, Jul 28, 2000 at 10:46:03AM +0100, Martin Feeney wrote:
> > It's the most secure method, but not neccessarily the handiest. It's as long
> > as it as short, you've also got to open up every little port you're using if
> > you DENY everything.
>
> But, you don't just "throw together" a firewall. They have to have some
> planning. The most secure (and in fact it probably is the handiest) is
> default to DENY, then allow all your internal machines outgoing access.
> If you need incoming it's only one rule per port. There are 65536
> possible ports (TCP and UDP) giving 131072 different port/protocol
> combinations most of which you would have to specifically deny otherwise.
There's a tool available called AFAIR mason which helps you to build
firewalls. I've not used it (I keep intending to try it out), so I'm
speaking from the depths of my ignorance, but that never stops me :-)
Its mode of operation AFAIK is to have you masquerading box masquerade
everthing, and then to carry out normal client operations while running
mason. It watches the net, and then builds a set of ipchains rules to allow
through only the traffic classes it has seen. You can then edit the set of
rules as desired e.g. to filter out netbios broadcasts.
Regards,
Niall O Broin
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:07:01 GMT