Re: Coyote Linux - bi-directional firewall?
From: Ian Jones (ian@dsl081-056-052.sfo1.dsl.speakeasy.net)Date: 12/27/01
- Next message: Geoff: "Re: small linux firewall/router advice"
- Previous message: mr.e: "CoyoteLinux oddness"
- In reply to: Steve Thompson: "Re: Coyote Linux - bi-directional firewall?"
- Next in thread: Luke Vogel: "Re: Coyote Linux - bi-directional firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ian Jones <ian@dsl081-056-052.sfo1.dsl.speakeasy.net> Date: Wed, 26 Dec 2001 17:05:56 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Thompson <sthompsonNOSPAM@ix.netcom.com> writes:
>> You have moved from host-based to network-based filtering and
>> detection. They are very different, but the difference has nothing to
>> do with windows versus linux.
>>
>> You would do well to do both as they each have their strengths.
>
> I had thought on what you said for quite some time. It
> finally occurred to me that what you'd posted is similar to
> the punchline of a joke I'd heard, vis-a-vis Micros**t, "The
> answer was absolutely correct, but totally worthless."
>
> Nowhere and at no time did I try to compare Linux with
> Micros**t's products. What I am after is a similar
> functionality of ZoneLab's ZoneAlarm. I am also after a
> similar functionality as RACF from IBM's MVS, but this does
> not mean that I'm comparing NT to MVS or either to Linux.
It is a commonly asked question around here..."can ipchains/iptables"
warn me when a program tries to access the internet like ZoneAlarm
does under windows?" That program being the only exposure many from
the windows world have ever had with packet filtering. It is a natural
comparison to make.
Now my understanding of ZA is that it is purely a host-based
application and that it is not useful on a router/firewall
machine. Please correct me if my understanding is incorrect.
My suggestion was simply to filter packets on the network filtering
device while continuing to use ZA on the windows hosts. I was not
trying to proselytize anything. The two methods of access control are
simply different.
> That the functionality that I desire is most difficult to do
> on an external machine is something to which I will agree.
> However, if there is some way to limit access to eth0 (or
> however this resource should be defined) for output
> purposes, this would allow one to prevent the zombie-ing of
> their system. This is more to the point - being able to
> define something as a resource that can be controlled and
> that control can be managed via an authorization table or
> ruleset.
Yes, that resource can be limited in any way you would like. Perhaps
you are running into the problem that confronts many people with the
difference between INPUT/OUTPUT to the packet filtering device and
FORWARD of routed packets. You just have to adjust where you apply
your rules. Or perhaps we are talking past each other?
> [It is beginning to appear that should one admit they are
> new to Linux, that others tend to assume that one is new to
> computing.]
That was not my assumption nor did I mean any offense to you by my
"totally worthless" response. I will endeavor to avoid cluttering your
screen with responses in the future.
-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.
iD8DBQE8KnP0wBVKl/Nci0oRAo5PAJ9h4bYpSBKVtLkKKG4bKxFMfRtM/wCeIQLV
YNIsyqJvg56/WyXClUd7TFc=
=jfd6
-----END PGP SIGNATURE-----
- Next message: Geoff: "Re: small linux firewall/router advice"
- Previous message: mr.e: "CoyoteLinux oddness"
- In reply to: Steve Thompson: "Re: Coyote Linux - bi-directional firewall?"
- Next in thread: Luke Vogel: "Re: Coyote Linux - bi-directional firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
