RE: [Sheflug] Wuftpd configuration problems + FIREWALLS

[Barrie Bremner <xxxxx [at] xxxxxxxxxxxxxxxxx>]

>>>>> "Neil" == Neil R Porter <Neil> writes:

    Neil> Another issue I was wondering whether the list could clear
    Neil> up.  I use Firestarter to configure my firewall.  However, I
    Neil> was wondering whether I was correct in my thoughts that the
    Neil> buck stops with iptables (kinda built into the kernal
    Neil> even?), and no matter which firewall proggy I use they all
    Neil> simply alter the iptables configuration.  Is this true?  If
    Neil> so I suppose even though my setup has bastille loading up at
    Neil> startup as long as firestarter is the last thing run (in
    Neil> /etc/rc.local) it will overwrite the work of bastille in
    Neil> iptables?  If this is the case then how come I can 'turn
    Neil> off' the firewall within firestarter - or so it claims on
    Neil> the icon button in the gui; can this be strictly true?

    Neil> As you can tell I am a little confused about firewalls in
    Neil> linux.  Using mandrake 8.1 btw.  Any pointers appreciated
    Neil> since I am not only running an ftp server but also hosting
    Neil> web pages in apache.  While at the moment this activity is
    Neil> only known by a few, in the future I will need to be fairly
    Neil> confident in my security measures.

Neil,

You're pretty much there when you say that the buck stops with
IPTables.

In fact it's the netfilter system in the kernel that deals with the
various tricks required for packet mangling and inspection needed for
firewalling and Network Address Translation (NAT - Masquerading) in
Linux.
IPTables is the userspace tool that allows you to control netfilter.
There is also an IPChains compatiblity layer onto of netfilter to
allow IPChains-based rules over IPTables, although unless you have a
very good reason not to, stick with IPTables.

Any other application that you use (such as this 'firestarter' you
mentioned) will more than likely just call the 'iptables' command in
the background.

I would guess all Firestarter does at boot time is to run a script
containing a number of 'iptables' commands.
There is no reason why you cannot write one of these scripts yourself.

One of two things could happen if you have several systems setting
firewall/packet filtering rules at boot time:

a) The first program's rules are deleted and replaced by the second's
(not too bad, just a bit pointless, unless something else relies on
the first program configuring something a particular way)

b) The second program's rules are added to the end of the first
program's rules.
This is generally bad - results are likely to be a bit more
unpredictable.
Some rules will match/work others will not - it almost certainly will
not be as expected.

The best place for info on IPChains/netfilter is

http://netfilter.samba.org/

particularly Rusty Russell's 'Unreliable Guides' on firewalling, NAT
and everything IPTables.

'man iptables' is very useful, although may be a bit daunting if
you've not had any experience with this sort of thing.

Feel free to post more questions, and I'll chip in with what I can
tell you.

Cheers.

Baz.

-- 
Barrie J. Bremner		OpenPGP public key ID: F78CEE08
baz [at] barriebremner.com	http://barriebremner.com/


___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.