From: Kenneth Kalmer <kenneth.kalmer@gmail.com>
To: NetFilter <netfilter@lists.netfilter.org>
Subject: Firewall feature recommendation
Date: Fri, 24 Jun 2005 12:56:50 +0200 [thread overview]
Message-ID: <fad9d48405062403562537f546@mail.gmail.com> (raw)
Guys
I've built several iptables-based firewalls for some clients and
personal use. Some of them are horrors, now that I look back on
them... I want to build my own 'all-in-one' firewall for the most
common network setups I use... I've used various other GPL'ed scripts
for references in past firewalls and they do tend to open one's eyes a
bit, thanks for everyone who released their scripts under the GPL.
I understand iptables, so that's covered. I'm constantly researching
security cause it's so damn interesting to see the precautions some
people take, and the level of protection you yourself would never even
have dreamed about...
Now, these are the features (independent of implementation) that I've
considered to put into my firewall:
- Support for multiple interfaces on both LAN & WAN
- NAT & DMZ
- Black lists for inbound & outbound traffic
- Host services (global or per interface, allows seperation between
LAN & WAN services)
- Access control on MAC, IP, or MAC-IP pairing
- Administrative services (SSH) access control on MAC or MAC-IP pairing
- VPN (IPSec, PPTP & SSL)
- QoS
- ICMP control
- Managed logging
- Expansion through custom chains*
* Expansion through custom chains might help those often found
scenarios that render your standard firewall inoperable. By creating
say, a PREINPUT chain or POSTINPUT chain, another script can modify
that chain for any function not covered by the standard firewall
features.
I've got the "Modular Firewall Product Certification Criteria version
4.1" from ICSAlabs, but I've not had any time to investigate it yet.
Please remember, this discussion is intended to be about features, not
implementation. I'll cross that bridge when I get there...
Any suggestions & advice would be appreciated.
Kind regards
--
Kenneth Kalmer
kenneth.kalmer@gmail.com
Folding@home stats
http://vspx27.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer
next reply other threads:[~2005-06-24 10:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-24 10:56 Kenneth Kalmer [this message]
2005-06-24 13:26 ` Firewall feature recommendation /dev/rob0
2005-06-24 13:36 ` Carl Holtje ;021;vcsg6;
2005-06-24 13:45 ` /dev/rob0
2005-06-24 14:04 ` Carl Holtje ;021;vcsg6;
2005-06-24 14:12 ` Seferovic Edvin
2005-06-24 14:12 ` /dev/rob0
2005-06-24 14:32 ` /dev/rob0
2005-06-24 14:37 ` Jan Engelhardt
2005-06-24 14:53 ` /dev/rob0
2005-06-24 15:20 ` Carl Holtje ;021;vcsg6;
2005-06-24 15:23 ` Carl Holtje ;021;vcsg6;
2005-06-24 17:49 ` /dev/rob0
2005-06-24 15:12 ` Kenneth Kalmer
2005-06-24 13:44 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fad9d48405062403562537f546@mail.gmail.com \
--to=kenneth.kalmer@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.