I do not want to continue this debate endlessly, but make my final comments: - as mentioned before, activating the YaST Firewall resulted in unwanted results. Firstly, it would only accept incoming services request if you either had them running on the FW Machine or running a DMZ. Neiter was true in my case. - second: by implementing forwarding with Firwall (masqueraded or not) if was always able to break in on those high ports, used for passive FTP - an third: due to this i was forced to do something else. My final script will only allow HTTP in both directions and FTP outbound with Data Connection (RELATED). Nothing more. Nothing less. And yes, i did probe the ruleset with port scanners. I do agree, that if you have a standard "world" (i.e. Outside - Bad World, Inside - LAN and maybe even DMZ) then there's no point in "reinventing the wheel". But specifications was not standard, at was not subject to change. And finaly: i am a Linux newbie allright, but no computer/security newbie. I never take things for granted, like "oh well, my script runs fine when i start it manually, and it is named xy_firewall i guess the system knows that this must be loaded at boot time too. I don't bother testing after boot time however. Port Scan the system? Why should I? I know it works. Sign here, and good bye." Have a nice day KE -----Original Message----- From: Andy Bennett [mailto:andy@mcrentals.demon.co.uk] Sent: Wednesday, July 30, 2003 6:55 PM To: lars Cc: suse-security@suse.com Subject: Re: AW: [suse-security] Loading firewall script on boot time Whilst I accept that it is a requirement of a secure system that the person configuring it understands how it works I hope that you're not seriously suggesting that a greater level of security is achieved by having to recreate every single aspect of a secure system rather than using some of the tools, where appropriate, that are readily available? That isn't true, is it. How secure would Knut have been if he hadn't realised that his firewal script wasn't loading when his machine started up? Having said that the exercise has been worthwhile in that he has gained a greater understanding of his system. The only thing I would add is that he needs to run an external scan of his system to make sure it's as closed as he thinks. Andy