From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxQKO-0005Du-78 for garchives@archives.gentoo.org; Fri, 24 Apr 2009 18:40:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3133E0559; Fri, 24 Apr 2009 18:40:46 +0000 (UTC) Received: from mail-ew0-f165.google.com (mail-ew0-f165.google.com [209.85.219.165]) by pigeon.gentoo.org (Postfix) with ESMTP id 86762E055A for ; Fri, 24 Apr 2009 18:40:46 +0000 (UTC) Received: by ewy9 with SMTP id 9so1045052ewy.34 for ; Fri, 24 Apr 2009 11:40:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=42COgjru95wV/IKX2mHo3o65kmzgRGNXGc73nXSxub4=; b=mbZOXUlPFiC3rLUHG860SoTZCdlQF8B6YZYRRG1H4zmUd+bVA9eOSfPxg33zg+f668 wh1gu6D+0/jmYGFOaHMPslP//UwmY5HGWkI8GQe5JWgm+TApJLwQqvHwCBR8/kFQklyQ iMES5RbJZcRvjX1v9FMTAO5hAcuQfuidh2AQM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=iKPflxvhBVekqn2I3rQgu5Q6gcm+PzugMDZDKwCi/V1JznMtcyZnuCz4lRpAht6lfc Ys7OnpOqvqNklZS3pPdAgLzj13v1ydjIo+ewCNBy0mkInP+BMop/xBeFbpxFhAnpzQ+p JCDB92Bpx2S42kG2xr/+/kE9NnYwEkkFu+1vw= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.210.62.3 with SMTP id k3mr2678712eba.91.1240598445969; Fri, 24 Apr 2009 11:40:45 -0700 (PDT) In-Reply-To: <1240593796.13872.20.camel@mayo.local> References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> <49F1F017.10302@cdf123.net> <1240593796.13872.20.camel@mayo.local> Date: Fri, 24 Apr 2009 18:40:45 +0000 Message-ID: <93d30e950904241140u4b671695l2e7a60a427388491@mail.gmail.com> Subject: Re: [gentoo-user] Is this firewall safe? From: Marco To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 4809f0ce-3156-4735-a433-df8bc3069ae0 X-Archives-Hash: fdb37356488309432d678768efec5104 On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder wrote: > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] > While all that is correct, I would also consider it "bad network > behavior" (no offense intended). So you consider my 'reject-with' settings to be good practice? > It feels like "security through obscurity". It may hamper the > well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! > Probably it will never be a problem for you, but it could be a problem > for a network administrator. > > Also: if you wish to scan (nmap) yourself to check your system > (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? > On a (not so) different topic: > If you're going to make your firewall more complex (more services, or > other stuff), I'd suggest to use a widely used firewall script. That is > more secure than writing your own firewall configuration, because in the > long run it will be better maintainable (and they often also do "smart > stuff(TM)" ;) > > My recommendation is "net-firewall/shorewall". It has a well balanced > abstraction/granularity-ratio, and the produced iptable-rules are still > readable :) This is considered to be my learning example. Later I will definitely consider using shorewall (learning one thing at a time). Thanks! -- Regards, Marco