On Mon, 29 Dec 2003, Derek Broughton wrote:
> On December 28, 2003 07:55 pm, Daniel Pittman wrote:
>> On Fri, 26 Dec 2003, Derek Broughton wrote:
>>
>> > For instance, I completely trust everything on my SOHO network, but
>> > don't trust my connection to the internet. I don't trust anything
>> > but my desktop machine on the client's network, but I _do_ trust
>> > their own internet firewall. So it's often important to be able to
>> > detect details of the connection.
>>
>> While I agree with this, I don't think that the best location to
>> perform this detection is as part of the firewall package itself.
>
> Right, but some of the firewall builders one might find adequate for a
> fixed-location system don't very well react to having an interface (or
> even different network interfaces) that may come up with different IPs
> depending where you are.
Hrm. That wasn't my experience when I worked with a number of them, but
obviously you had a less happy time. I found that while the rules you
could build were reasonable, the cost in time and effort to make the
"firewall builder" express what I wanted was ... more than doing it by
hand.
> So I think the choice of a firewall package for a laptop is slightly
> more limited than for a desktop machine.
I can see how your experiences would lead to that conclusion.
>> Firehol adds a lot of custom commands to bash, making firewall setup
>> trivial, but is still a shell script under it all. So, you can use
>> that to conditionally execute firewall code.
>>
>> Thanks for the feedback, though, and I will try to remember your
>> point about complexity of rule setup in future.
>
> And I will check out firehol :-) I'm using Guarddog these days, and
> it's working fairly well, but it's the first package I've found
> adequate for my laptop.
Well, 'firehol' doesn't impose any structure on you, so you can build
something that is as flexible (or inflexible) as you like, pretty much.
I am curious -- the packages that didn't cope, what were the problems
you hit? I would like to know to better advise people in future.
I presume that the issues was, at heart, that the packages assumed that
you had a fixed IP address for the local host and then used that in a
number of places.
Daniel
--
I hate the idea of causes, and if I had to choose between betraying my country
and betraying my friend, I hope I should have the guts to betray my country.
-- E. M. Forster, _What I Believe_
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
