Re: The best GUI for ipchains and/or iptables?
From: Tim Haynes (usenet@stirfried.vegetable.org.uk)Date: 05/22/02
- Next message: Barry Margolin: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: David: "Re: The best GUI for ipchains and/or iptables?"
- In reply to: Richard Kimber: "Re: The best GUI for ipchains and/or iptables?"
- Next in thread: : "Re: The best GUI for ipchains and/or iptables?"
- Reply: : "Re: The best GUI for ipchains and/or iptables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Tim Haynes <usenet@stirfried.vegetable.org.uk> Date: 22 May 2002 16:10:45 +0100
Richard Kimber <rkimber@ntlworld.com> writes:
> On Wed, 22 May 2002 13:02:13 +0100, Tim Haynes wrote:
>
> > Gratuitous plug: <http://spodzone.org.uk/packages/secure/iptables.sh>
> > exists. Grab, edit, rejoice.
>
> I'm sure it's very good - but only if you have the same setup using ppp.
> The reason why people like a gui is that it asks straightforward
> questions and tailors the rules to the answers given.
That seems to be the role of braincell and $EDITOR, to me. If you don't
like my script, given in particular the idea that it's only a *start*point
and has placeholders for dialup LAN usage, then you can either change
`ppp0' into an appropriate interface name, or submit a diff by all means.
> Many people, like me, only have a very simple setup and it isn't cost
> effective to learn iptables.
Why on earth not? It's not a major investment, you just look at a script,
read it through and make it do what you want.
And it's a hell of a lot easier to get to grips with something either very
simple like mine (and other folks' scripts, by the same token) or that
you've written yourself, than it is to work out packet-flow amongst some
100-rule GUI thing.
> On the other hand, I agree that you must be very careful to check that
> the gui does what you want it to do. As I understand it, the default
> version of Firestarter has a not very well-known feature that it only
> closes those ports that you ask it to from a list it presents to you.
> Most people would probably assume that the default option would be to
> close everything else.
I'd make sure it was DROP-by-default, myself; anything else is unacceptable.
> I have still to encounter a gui or script for a single PC with a CM on
> eth0, offering no external services, that obviously and clearly (by which
> I mean that it says it in fairly simple language):
> a) allows all local activity
> b) allows in the ubr, dhcp & DNS servers
> c) allows me to get out
> d) allows in responses to activity initated by me (in c)
> e) drops everything else unless I have specifically asked it not to
> which I take to be what I would need for reasonable security. I might add
> that it also should log sensibly - i.e not tell me about stuff I
> shouldn't be worried about.
You should read what mine does. There's a place for your required services
in `b', too. Yes, it's adequately commented - a block labelled "Open
ports" doesn't seem too hard to append into, does it?
I hate myself for having to advocate my script as a starting-point, now.
It's normally enough just to point at it and let people sort out for
themselves whether they want to bother or not.
~Tim
-- 16:04:45 up 196 days, 16:37, 7 users, load average: 0.13, 0.20, 0.18 piglet@stirfried.vegetable.org.uk |Seedy heroes and silver tills http://piglet.is.dreaming.org |Sinking suns on a sea of thrills
- Next message: Barry Margolin: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: David: "Re: The best GUI for ipchains and/or iptables?"
- In reply to: Richard Kimber: "Re: The best GUI for ipchains and/or iptables?"
- Next in thread: : "Re: The best GUI for ipchains and/or iptables?"
- Reply: : "Re: The best GUI for ipchains and/or iptables?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
