[Techtalk] Good firewall configuration tool for debian

Kathryn Andersen kat_lists at katspace.com
Fri Apr 9 20:23:42 EST 2004


On Fri, Apr 09, 2004 at 02:20:04PM +0530, Devdas Bhagat wrote:
> On 09/04/04 10:55 +1000, Kathryn Andersen wrote:
> > On Thu, Apr 08, 2004 at 07:35:29PM +0530, Devdas Bhagat wrote:
> > I must admit, I have just used firestarter as a set-and-forget firewall
> > because I didn't want to have to do things by hand, but I realized I
> > should have a firewall when I noticed odd things in my Apache access log which
> > looked as if someone was trying to exploit some MS-Windows hole (it was 
> > trying to find files like ../../win32.exe and so on).
> Probably a worm. No packet filter will help you against exploits on a
> publicly available application.

Yes, well, I hadn't intended it to be publicly available.  I hadn't
realized that the default settings left it open to the public.

> > I'm just using dialup so it was really more of a precaution than
> > anything else.
> What are you doing running Apache on dialup anyway?

I'm running it privately to test out my website on, before I upload it
to the real site.  Occassionally I connect up my laptop running windows
to test out whether IE is broken on it or not.

> > If/When I move to ADSL... I notice in the listings of ADSL modems, one
> > could get a plain modem, or one could get a router which has all sorts
> > of built in stuff including NAT and a firewall.  Is it better to just
> > set up all that stuff on one's own box, or to use a router?  All I know
> > about NAT is that some people think it's evil...
> NAT breaks the peer to peer nature of the Internet. It does not porvide
> any real security, but it provides a modicum of security for people who
> only wish to be consumers and are running locked down boxes.
> The NAT router will offer nothing more to you than a plain ADSL modem
> plus a hardened Linux box, but the Linux box can actually do a lot more.

Indeed, but how many zillions of hours will I need to devote in order to
harden my Linux box?  Or, indeed, to make my Linux box "do more"?
The learning curve for these sort of things tends to be steep, and if I
have to learn about ten complicated things at once or my box will be
rooted, then maybe I just can't do it in enough time...

Is there a trade-off here, or am I being too daunted?

-- 
 _--_|\     | Kathryn Andersen	<http://www.katspace.com>
/      \    | 
\_.--.*/    | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
      v     | 
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha!  |	-> Earth -> Sol -> Milky Way Galaxy -> Universe


More information about the Techtalk mailing list