Automatic Firewall

Riku Meskanen mesrik at cc.jyu.fi
Sat Jan 10 22:21:11 UTC 2004


On Sat, 10 Jan 2004, Alan Cox wrote:
> On Sat, Jan 10, 2004 at 01:34:01PM +0100, Jean Francois Martinez wrote:
> > address in the 10.x.x.x is in direct contact with the Internet and,
> > according to your proposal, unfirewalled.
>
> It adds a fair bit if you add a "Masquerade" tick box to the existing
> network configuration bits.
>

BTW, I've been wondering loooong time why default FW has not
been stateful?

Ok, IIRC iptables were not default before 8.0, but since then
I have not understood why not. Is it just that there is no simple
configuration tool for it yet or is there some other reason?

We have been using iptables (w/ state/conntrack) over a year now,
and really busy (backups, proxies, ftp servers, ldap & kerberos,
DHCP & DNS servers ...) systems with only minor problems in the
beginning, but that was  mostly with something like when using
VLAN's, but that's been working about a year now.

First thing I've done past year rightafter installation is to
replace the lokkit created ipfilter from simple template like
the following

http://people.jyu.fi/~mesrik/rpms/ipfilter/ipfilter.templ

We haul terabytes of data each month trough it have no problems
at all.

Any reason not to ship a stateful filter by default? It would
make people with less experience with networking easier to get
things working out of box and withouth necessarily punching silly
holes in initscripts and like. (Haven't looked recently if those
are still there ...)

Above template allows directly to client use DHCP, NTP, NFS, etc.
without a single line modification. Only the incoming connections need
to be  customized and ONLY in server use and providing services to
other computers, workstations do not necessarily need to be touched.
A simple python/perl script could do that if nothing else.

Any plans yet?

:-) riku

ps.	It would be nice if quota from redhat would be upgraded
	too. quota-3.06 currently at rawhide etc. is too old for
	rpc.quotad port fixing, newest is 3.10. For more details, see
	http://www.ba.infn.it/calcolo/documenti/NFSServer.html#Firewall
-- 
    [ This .signature intentionally left blank ]





More information about the fedora-devel-list mailing list