From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-151598-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 950E01381F3
	for <garchives@archives.gentoo.org>; Mon, 14 Oct 2013 13:28:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id DC97EE0AE3;
	Mon, 14 Oct 2013 13:28:17 +0000 (UTC)
Received: from icp-osb-irony-out5.external.iinet.net.au (icp-osb-irony-out5.external.iinet.net.au [203.59.1.221])
	by pigeon.gentoo.org (Postfix) with ESMTP id 4E52EE0AC2
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 13:28:15 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAIjwW1JqRP/S/2dsb2JhbABZgwfCeIEiFnSCJQEBBYEJCw0LCSUPAkYTBgIBAYgBvXuOFBKBMxaEDQOJOo5LhjgniyODMS+BLAEe
X-IronPort-AV: E=Sophos;i="4.93,492,1378828800"; 
   d="scan'208";a="162033520"
Received: from unknown (HELO moriah.localdomain) ([106.68.255.210])
  by icp-osb-irony-out5.iinet.net.au with ESMTP; 14 Oct 2013 21:28:14 +0800
Received: from localhost (localhost [127.0.0.1])
	by moriah.localdomain (Postfix) with ESMTP id 454331B3DE
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 21:28:11 +0800 (WST)
X-Virus-Scanned: amavisd-new at lan.localdomain
Received: from moriah.localdomain ([127.0.0.1])
	by localhost (moriah.lan.localdomain [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id wRkOiKxCxyek for <gentoo-user@lists.gentoo.org>;
	Mon, 14 Oct 2013 21:27:58 +0800 (WST)
Received: from [192.168.44.3] (moriah [192.168.44.3])
	by moriah.localdomain (Postfix) with ESMTP id 7B21B6638
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 21:27:58 +0800 (WST)
Message-ID: <525BF15E.60206@iinet.net.au>
Date: Mon, 14 Oct 2013 21:27:58 +0800
From: William Kenworthy <billk@iinet.net.au>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130928 Thunderbird/17.0.9
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
References: <loom.20131003T210545-580@post.gmane.org> <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <slrnl5f9ik.or9.vaeth@lounge.imp.fu-berlin.de> <E1VVIat-0001XR-Ml@lounge.imp.fu-berlin.de> <525AAADE.7040700@orlitzky.com> <slrnl5leg8.a3q.vaeth@lounge.imp.fu-berlin.de> <525ACC38.8060008@orlitzky.com> <slrnl5lvc2.cda.vaeth@lounge.imp.fu-berlin.de> <525B1478.3090305@iinet.net.au> <slrnl5nnlt.hoa.vaeth@bois.imp.fu-berlin.de>
In-Reply-To: <slrnl5nnlt.hoa.vaeth@bois.imp.fu-berlin.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: a095fa6b-71c8-487d-8b72-0bb6cd09a585
X-Archives-Hash: 3fa89986499fbc82b4ec5c6e47a4f572

On 14/10/13 20:08, Martin Vaeth wrote:
> William Kenworthy <billk@iinet.net.au> wrote:
>>
>> If you are going to go to this bother ... why not use shorewall, create
> 
> When I checked for scripts creating rules, none fulfilled my needs.
> (I do not know whether I checked shorewall at this time).
> For instance, instead of dropping most packets, I want to reject them
> properly, only with a rate-limit to avoid DOS. Then there is the
> mentioned port knocking, some forwarding etc. pp.
> 
>> a custom configuration for each site (including any changes to services)
>> and and have your script just copy them in and restart the various
>> services including shorewall?
> 
> Instead of managing dozens of configurations manually,
> I think it is easier to have one script which creates an
> appropriate custom configuration on all my machines, depending
> on certain files in /etc and other tests. That's why I always
> run my firewall script on startup (or if I severely change
> the configuration).

Been there, done that, after the various disasters of editing/sed'iting
in place config files I took the cowards way out - at least when it all
goes wrong its now easy to fix, and is a LOT less fragile, especially
after upgrades :)  Its also a lot harder to do once you get to some of
the weirder environments with conflicting requirements.  Keep in mind
that shorewall or similar wont handle all the parts needed to make this
work ... vpn's, services etc will need scripting as well, but they
certainly make the firewall part easier and more secure.

Also, if you are editing iptables scripts yourself have a look at
shorewall, monmotha or most other "professional" scripts - can you
guarantee you are covering as many bases as these do? - I always shudder
when I see someone put together a "few" rules and think its as good as
something thats stood the test of time and review.  Or think of it this
way, you are using port knocking and trying for extreme "defence in
depth", but use a home brew firewall ...  I dont see anything strange
about your requirements and think they should be within the capability
of most firewall setups and a knowledgeable admin.

I totally agree on network manager - its a pita.  In this cae its a left
over from an abortive attempt to like gnome3 ... I am now using LXDE but
everytime I try and strip more gnome out of the system it either breaks
or reinstalls the gnomey bits Ive just removed :(

Maybe a reinstall during the Christmas break - prezzies!

BillK