Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 09:02:47 PST 2004

On Fri, 2004-02-13 at 11:08, Bill's LFS Login wrote:
> On Thu, 12 Feb 2004 ken_i_m at elegantinnovations.net wrote:
> > On Thu, Feb 12, 2004 at 07:32:11PM -0500, Archaic (archaic at indy.rr.com) wrote:
> > > Just a note; I also prefer specifically denying certain known weaknesses
> > > as well, even if they would be denied by default. The reason for this is
> > > in case I make some bonhead mistake when allowing something, it will
> > > still be denied.
> >
> > This may work for a system where you are the sole admin but it does not
> > scale.  I work with a sysadmin who does as you do.  The print out of the
> > ruleset goes for pages.  Fortunately, the task of rewriting them has been
> > given to me.  Sanity will reign.
> As a point of curiosity for me, I have been interested in learning some
> of the aspects of the overhead associated with filtering (effectively)
> for security purposes. Haven't done any research yet, but if you know of
> some docs that address issues such as increased latency, propagation
> delays, effects on overall throughput, I would be interested. Or if you
> happen to gather these metrics during your rework, that would be useful.
> My particular interest ATM is deciding if I can use my DX2/66 as a
> gateway (not a lot of services to be exposed from behind the firewall)
> and firewall, or if I should used the AMD 5x86 100MHz, or separate the
> to functions. This is all new territory for me and feedback of the sort
> mentioned, HOWTOs and other resources will help me decide on the proper
> configuration. My current firewall is just "nothing gets in I didn't
> request, except smtp connects" on my RH 6.2 box. Will be insufficient
> somewhere down the road.

You'll be pleased to hear that some of the models Cisco has out for
routing/filtering T1 lines only have 33Mhz CPUs in them, so give it a
shot with the 66Mhz machine just filtering traffic and put the services
on the 100Mhz machine box.  If at all possible you want the firewall to
only be firewalling things, as this means there's going to be fewer
avenues for failure or entry into the bastion host.
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org

More information about the hlfs-dev mailing list