Hi, -- snip -- snip --
If you are going to take the time to use the built in firewalling code in linux why would use use a frontend to the program to modify the rules? Ipchains is *easy* to use. Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux IPFWADM/IPCHAINS/NetFilter are fundamentally different things:
Scary how a large part of the suse security list seems to be in charge of organization security without being able to see the fundamental difference between packet filtering and proxying; even after clear explanation. Another silly issue on this list was the tamper-ability of MD5 hash values (nothing wrong with the question as such though) and it's required replacement for intrusion detection. Until finally somebody pointed out where the real vulnerabilty was: just forge the report. I was just wondering why the focus of this list is so much on "code" and so little on how to use it for a specific organization. Most unix hosts that have a reasonable administrator are most likely more secure against DOS than the telco. router that connects them to the WEB. Most sucurity incidents are from within organizations. Most logs are never looked at and incidents seldom reported. A short and simple password is still better than one under the keyboard. Locking the car is little use if you leave the camera in plain sight :) Also there's nothing wrong in discussing interface add-ons for ipchans etc. But sometimes the discussion misses that such things can only improve your understanding or help you use your time efficiently. They inherently do nothing else to improve security. I personally prefer tools that help visualize the result of complex configurations and logs instead of separating me from the real issue at hand. Generally speaking, there is a shortcoming to easy to use systems. They inherently hide some of the complexity you actually should be facing. Also simple external interface (or extreme flexibilty requirements) usually imply high internal complexity. And that of course provides more places where things could fail. If you want security, go for simplicity. And yes the FWTK is lovely simple (winthin it's context). One final remark. Moderation is a good thing, but please don't just do it to ban things. A simple classification with some tags like [basic] [home networks] [small organization] [large organization] [theory] [usage] or something like it would be of much more added value. With that I can play with some easy questions if I'm realy bored and tired :) Oh, I do consider a question of somebody who want's to protect 'pictures' reasonable. Peter