From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IdW2l-000858-2a for garchives@archives.gentoo.org; Thu, 04 Oct 2007 19:07:31 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l94It3Pb021628; Thu, 4 Oct 2007 18:55:03 GMT Received: from windmuehlgasse.getdesigned.at (chello062178000135.1.11.univie.teleweb.at [62.178.0.135]) by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l94It2cP021560 for ; Thu, 4 Oct 2007 18:55:02 GMT Received: (qmail 25275 invoked from network); 4 Oct 2007 19:09:40 -0000 Received: from watson64.local (HELO ?192.168.1.5?) (wasti@192.168.1.5) by tuxserver.local with ESMTPA; 4 Oct 2007 19:09:40 -0000 Message-ID: <4705370A.4010709@getdesigned.at> Date: Thu, 04 Oct 2007 20:55:06 +0200 From: Sebastian Redl User-Agent: Thunderbird 2.0.0.6 (X11/20070812) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org MIME-Version: 1.0 To: gentoo-amd64@lists.gentoo.org Subject: Re: [gentoo-amd64] Re: KISS firewall not working on Gentoo Hardened References: <470438AA.8040502@singnet.com.sg> In-Reply-To: X-Enigmail-Version: 0.95.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 7379903a-0497-4e47-bbd6-7377cb16b1ea X-Archives-Hash: 3b32f40d06650907ffa12f76c7b1c94f Duncan wrote: > "P.V.Anthony" posted > 470438AA.8040502@singnet.com.sg, excerpted below, on Thu, 04 Oct 2007 > 08:49:46 +0800: > > >> I was trying to get the KISS firewall working on Gentoo Hardened amd64. >> > Personally, I tried a number of different firewall scripts, but wasn't > really satisfied with any of them. Most of them tried to do too much -- > they had all sorts of config options for configuring big commercial > networks, options for shutting off net access to a specific segment of > the internal network at a specific time, for instance. I didn't /need/ > that sort of complex configuration, and it only made things more > confusing, not less. > > At the same time, stuff that should have been simple ended up hugely > complex. I was never sure which modules I needed for which options, and > since I was configuring scripts that did the actual configuring of the > IPTables based firewall, when something didn't work, I was never quite > sure whether it was the script, or a bug in the kernel, or a missing > module, or my mistake, or... Well, I'm sure you can identify right about > now! =8^( > I have to disagree with this evaluation. In several years, I found that shorewall makes simple things simple, and difficult things I've never tried. My network is really, really simple: a firewall/fileserver/everything with a slightly defective keyboard that I carry a screen to when it doesn't work, plus a number of other computers (one desktop, three laptops, usually) for various family members. The firewall mainly does three things: 1) Block everything except a few services from the outside. 2) NAT. 3) A few direct port forwards to the desktop computer. Configuring this is easy enough in IPTables (I did learn them somewhat, out of interest, though I've forgotten a lot, too), but it's really, really easy in shorewall. In all the years I've used Gentoo now, I can only say that I'm highly satisfied with the program. The only negative point I can find is that it always wants to overwrite all the configuration files on an upgrade. Sebastian Redl -- gentoo-amd64@gentoo.org mailing list