Iptables initialization

Bill's LFS Login lfsbill at nospam.dot
Fri Feb 13 09:08:40 PST 2004


On Thu, 12 Feb 2004 ken_i_m at elegantinnovations.net wrote:

> On Thu, Feb 12, 2004 at 07:32:11PM -0500, Archaic (archaic at indy.rr.com) wrote:
> > Just a note; I also prefer specifically denying certain known weaknesses
> > as well, even if they would be denied by default. The reason for this is
> > in case I make some bonhead mistake when allowing something, it will
> > still be denied.
>
> This may work for a system where you are the sole admin but it does not
> scale.  I work with a sysadmin who does as you do.  The print out of the
> ruleset goes for pages.  Fortunately, the task of rewriting them has been
> given to me.  Sanity will reign.

As a point of curiosity for me, I have been interested in learning some
of the aspects of the overhead associated with filtering (effectively)
for security purposes. Haven't done any research yet, but if you know of
some docs that address issues such as increased latency, propagation
delays, effects on overall throughput, I would be interested. Or if you
happen to gather these metrics during your rework, that would be useful.

My particular interest ATM is deciding if I can use my DX2/66 as a
gateway (not a lot of services to be exposed from behind the firewall)
and firewall, or if I should used the AMD 5x86 100MHz, or separate the
to functions. This is all new territory for me and feedback of the sort
mentioned, HOWTOs and other resources will help me decide on the proper
configuration. My current firewall is just "nothing gets in I didn't
request, except smtp connects" on my RH 6.2 box. Will be insufficient
somewhere down the road.

TIA

-- 
NOTE: I'm on a new ISP, if I'm in your address book ...
Bill Maltby
lfsbillATearthlinkDOTnet
Fix line above & use it to mail me direct.



More information about the hlfs-dev mailing list