debian-etch gateway

R. Wood rw at ncf.ca
Sun Aug 3 14:28:53 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Allegedly, on Sun, Aug 03, 2008 at 08:40:26AM -0300, Tom Daly stated:
> I run a debian-etch gateway for my house network (K/Xubuntu/XP
> mixture), and want to crank down security a tad.  If anyone has any
> comments/suggestions on this article
> <http://www.debian-administration.org/articles/23>
> I'd appreciate hearing from you

Hi,

You may need to supplement this article above with other
HOWTO's/tutorials/articles.  I notice for example that it doesn't
mention configuring /etc/network/interfaces at all.

The other thing I don't recommend (and this is just my opinion, based on
my own experience) is trying to cook up homemade firewall scripts.  This
topic is complicated enough, and there are a lot of subtle details that
create opportunities for security issues.  If "security" is a concern,
and it should be, I say leave firewalls to the professionals: find a
good 'firewall script' that allows you to specify what you want at a
higher level, and then the script will crank out the proper set of
iptables rules.  Two examples of firewall scripts are:
- - shorewall (no GUI, just edit some text files according to the
  excellent documentation).
- - firehol (same, no GUI).

The firewall needs to be set up carefully, methodically, and with
attention to detail.  Once it is in place it will handle the
ipmasq/NAT/port forwarding (different people use different terms)
automatically.

HTH,
Raymond
- -- 
"Be Nice, or Leave - By Order of the Management"
(Sign above door, Black Sheep Inn, Wakefield)
GPG Fingerprint: 2E4D 8605 DD48 E80F F893  1C02 B65D 86D9 3B3C 0E03
Encrypted Email Preferred  |  War is BIG Business: Enough Excuses, Peace Now!
Bush-whacked 2004! Try to relax and enjoy the Chaos :-)  |  Free Tibet
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIlcCltl2G2Ts8DgMRAvQ5AJ9HHBNqmcXVzR7PnymlAbBDUSy5OwCfcrEl
TioUUfa35f/D53Scbx96cGE=
=pENt
-----END PGP SIGNATURE-----




More information about the ubuntu-ca mailing list