Skip to main content

Setting up a Linux Firewall

More
20 years 8 months ago #2990 by Chris
Ahh .. yes .. correct .. Reject will send an ICMP error message back to the host.

As for displaying the IPTables loaded and running, you can also add the '-t nat' if you wish to display the NAT rules applied to the PostRouting, Prerouting and Output chain!

I usually use the "iptables -nL" and "iptables -nL -t nat" commands.

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
20 years 8 months ago #2995 by Cheetah
Hi

Just my 0.02 cents.

1. When using a dedicated firewall, building your own, I would suggest recompiling is a must. I dont want my machine to run with the default "all-rounder" kernel. :)

2. Some one not interested in recompiling and stripping down, I would recommend using "Coyote" or "Devil-Linux". Now l cannot appreciate if some one says it takes time to set up a Linux Firewall, with such nice tools as above. "Devil-Linux" has almost everything you need on a gateway, and is still safe. Let the intruder write on my ramdisk, or let him try writing on my cdrom or write-protected floppy. ;)

3. It's true that with every major release; to get the kernel up & running great for the first time, takes time. For me it took more than 100 hrs, and still experimenting a lot now.

4. Drop is the best. But it depends on which scenario, your firewall works on.

5. With great tools available for making your life easier for configuring firewalls now, I would not spend "man hours" into scripts or command line. This way it's less prone to human error, and I would only see the rules & scripts if something is not really working the way I need.

6. I appreciate using exclusive machines for its dedicated purpose, but this is always not practical in home/soho environments. It works for corporates. So in my home network, I may have other services running on my firewall box itself.

Regards
-Cheetah

Kind Regards,
<b>Cheetah</b>
<i>The outcome of devotion is, quality!</i>
More
20 years 8 months ago #3002 by sahirh
While I agree that some of the tools you get nowadays make the configuration really easy, I still feel theres nothing like hand crafted rules.. you can always polish things that little bit more, and you have that level of control and understanding.. plus all these tools merely generate the same script you would have written by hand..

I'm just checking out Smoothwall ( www.smoothwall.org ) and so far I'm really impressed by its no-nonsense approach. I will be reviewing it for cool software, but go take a look at it.. its free, and will do just about anything you want from a firewall.. from VPNing to port forwarding

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.120 seconds