On Friday 17 February 2006 08:56, Timothy Murphy wrote: >Steve Ziuchkovski wrote: >> Is there a utility that allows iptable to be configured easily and >> updated at runtime, but without sacrificing any security (other than >> ports I open, of course!)? > >I'm not sure I understand your question perfectly, >but shorewall has a number of standard configurations (eg > two-interfaces) one of which would suit most situations, I imagine. > >I must say, as a shorewall user, I am surprised >at the complication of the resulting iptables, >which makes me think it must be rather difficult >to set up iptables without using an extra program like this. If its really complex, then I suspect its writing rules for each individual condition rather than a more generalized ruleset. I'm pretty bulletproof here, and I don't think there are more than 20 lines total for all the rules that nat and masquerade between two cards. I have an added pair of rules I enable when running a torrent, and I also have to setup forwarding in the router, so it takes me maybe 2 minutes to start a seeder for FC4.2 for instance. >A bit like sendmail, in fact. It can be daunting, and was for me when I first set it up back in 2001. I also use tcpwrappers and portsentry. Portsentry can be set to have pretty sharp teeth but that only confirms you are there to the potential cracker, its better to just drop the perp on the floor & not respond at all with the first NEW NOT SYN packets arrival. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.