Xnij wrote:I can recommend Shorewall (
http://www.shorewall.net/) which is a bit easier to configure. It is still all text files so it is an advanced tool. Seems to be available in the standard repo.[..]
Shorewall is OK, but the latest versions load an absolutely ridiculous amount of modules. This may provide belt-and-braces security (at least the illusion thereof) but it may also degrade the performance of your system.
An alternative approach is to use the system *without* a firewall, while making sure that no services are exposed to the outside world.
Run as root
and notice the "local address" column. Whenever it says 0.0.0.0, the corresponding service is visible to the outside world (if there is no firewall present; or if there is one, but it is misconfigured, a much more likely possibility).
Now, in many cases, it is possible to improve this by making services listen only to the local network (not to the "outside world"). Many services have options to do this. In fact I'd like to suggest to the Excito people that they explore this.
Once you have stopped access to all services that you don't want to offer outside your network, you can use some very simple iptables rules to cover cases that you might have overlooked. That is a kind of "extra security". Basically, a system should be secure by itself without a firewall.
See the classic article (it needs updating of course, but the basic ideas are still 100% OK)
http://www.rootprompt.org/article.php3?article=903
/jws
