Automatic Firewall
Riku Meskanen
mesrik at cc.jyu.fi
Sat Jan 10 22:21:11 UTC 2004
On Sat, 10 Jan 2004, Alan Cox wrote:
> On Sat, Jan 10, 2004 at 01:34:01PM +0100, Jean Francois Martinez wrote:
> > address in the 10.x.x.x is in direct contact with the Internet and,
> > according to your proposal, unfirewalled.
>
> It adds a fair bit if you add a "Masquerade" tick box to the existing
> network configuration bits.
>
BTW, I've been wondering loooong time why default FW has not
been stateful?
Ok, IIRC iptables were not default before 8.0, but since then
I have not understood why not. Is it just that there is no simple
configuration tool for it yet or is there some other reason?
We have been using iptables (w/ state/conntrack) over a year now,
and really busy (backups, proxies, ftp servers, ldap & kerberos,
DHCP & DNS servers ...) systems with only minor problems in the
beginning, but that was mostly with something like when using
VLAN's, but that's been working about a year now.
First thing I've done past year rightafter installation is to
replace the lokkit created ipfilter from simple template like
the following
http://people.jyu.fi/~mesrik/rpms/ipfilter/ipfilter.templ
We haul terabytes of data each month trough it have no problems
at all.
Any reason not to ship a stateful filter by default? It would
make people with less experience with networking easier to get
things working out of box and withouth necessarily punching silly
holes in initscripts and like. (Haven't looked recently if those
are still there ...)
Above template allows directly to client use DHCP, NTP, NFS, etc.
without a single line modification. Only the incoming connections need
to be customized and ONLY in server use and providing services to
other computers, workstations do not necessarily need to be touched.
A simple python/perl script could do that if nothing else.
Any plans yet?
:-) riku
ps. It would be nice if quota from redhat would be upgraded
too. quota-3.06 currently at rawhide etc. is too old for
rpc.quotad port fixing, newest is 3.10. For more details, see
http://www.ba.infn.it/calcolo/documenti/NFSServer.html#Firewall
--
[ This .signature intentionally left blank ]
More information about the fedora-devel-list
mailing list