Am 2008-01-23 09:19:01, schrieb William Twomey:
> It's my understanding (and experience) that a Debian system by default
> is vulnerable to SYN flooding (at least when running services) and other
> such mischeif. I was curious as to why tcp_syncookies (and similar
> things) are not enabled by default.
Hmm, in three month I am using Debian GNU/linux since 9 years and was
never synflooded or hacked and currenly I am maintaining a world wide
network of 280 Servers and over 900 Workstations...
Ind I have services running, but at least only those, which are REALY
required and not more.
> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?
Sorry, but Debian is NOT a "install and do not ask questions" distri.
Here, the $USER has the choice of a couple of different firewall
solutions and some $USER may use only an $EDITOR and hack some ipt
lines down.
> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the same
> way /etc/rc2.d gets read in numeric order). So you could have files like
> 22ssh, 23ftp, etc. with iptable rules in each file. You could also have
> an 'ENABLED' variable like some files in /etc/default have (so that
> ports wouldn't be opened by default; the user would have to manually
> enable them for the port to be opened).
>
> Then they'd just run /etc/init.d/iptables restart and the port would be
> opened (flush the rules, reapply).
Nice idea, but not flexible enough since it CAN conflict with most
firewall solutions.
> Even a central iptables-save format file that gets passed to iptables at
> startup would be nice. It's easy enough to do manually, but would be
> nice to see integrated with debian itself (packages managing their own
> rules, etc.).
But for most firewall solutions not usable...
I have already tried the ipt-save/restor stuff on my routers but it let
me drive crazy...
> Is debian every going to introduce a better way of having iptables rules
> be run at startup and easily saved/managed, or will this always be a
> manual process?
I think not.
Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
What about Firestarter? (
www.fs-security.com). Is it a good solution to a personal use firewall?
USMC