From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: Firewall feature recommendation Date: Fri, 24 Jun 2005 09:44:29 -0400 Message-ID: <1119620669.9774.1.camel@jasiiitosh.nexusmgmt.com> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: Kenneth Kalmer Cc: Netfilter users list On Fri, 2005-06-24 at 12:56 +0200, Kenneth Kalmer wrote: > Guys > > I've built several iptables-based firewalls for some clients and > personal use. Some of them are horrors, now that I look back on > them... I want to build my own 'all-in-one' firewall for the most > common network setups I use... I've used various other GPL'ed scripts > for references in past firewalls and they do tend to open one's eyes a > bit, thanks for everyone who released their scripts under the GPL. > > I understand iptables, so that's covered. I'm constantly researching > security cause it's so damn interesting to see the precautions some > people take, and the level of protection you yourself would never even > have dreamed about... > > Now, these are the features (independent of implementation) that I've > considered to put into my firewall: > - Support for multiple interfaces on both LAN & WAN > - NAT & DMZ > - Black lists for inbound & outbound traffic > - Host services (global or per interface, allows seperation between > LAN & WAN services) > - Access control on MAC, IP, or MAC-IP pairing > - Administrative services (SSH) access control on MAC or MAC-IP pairing > - VPN (IPSec, PPTP & SSL) > - QoS > - ICMP control > - Managed logging > - Expansion through custom chains* > > * Expansion through custom chains might help those often found > scenarios that render your standard firewall inoperable. By creating > say, a PREINPUT chain or POSTINPUT chain, another script can modify > that chain for any function not covered by the standard firewall > features. > > I've got the "Modular Firewall Product Certification Criteria version > 4.1" from ICSAlabs, but I've not had any time to investigate it yet. > > Please remember, this discussion is intended to be about features, not > implementation. I'll cross that bridge when I get there... > > Any suggestions & advice would be appreciated. > > Kind regards > May I suggest taking a look at ISCS (http://iscs.sourceforge.net) and see if it gets you close to what you seek. It's not a script but rather a very flexible configurator that allows relatively easy management of some of the complex features you cite - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com