This is by far the single most helpful document I've ever encountered during my Linux experience. TrinityOS, even if you don't follow it to the letter, is an excellent guide for many facets of a secure Linux system.
Congratulations David; keep up the fine work.
> When will this wonderful
> "howto" include iptables?
> It'd be nice to have the great support
> for ipchains available in iptables
I'm working on a new ruleset that both supports (1) NIC NON-MASQed setups as well as (4) NIC MASQed setups for the IPCHAINS ruleset. This new ruleset will also be split into two files. With this upgrade, any future upgrades will NOT require users to have to manually edit the entire ruleset ever time. All you'll have to do is replace the actual ruleset and reload it. Yes, you might not get any of the newly added features but you can address those as time permits. Anyway, once this new IPCHAINS mechanism is stable, the port to IPTABLES should be trivial. The other reason I haven't moved over to IPTABLES (though it is stateful) is that the MASQ support is not as good as the 2.2.x kernels. IPTABLES still does not have support for H.323, RealAudio, ICQ, etc. Because of this, my motiviation is somewhat less. No worries though.. I plainly see the writing on the wall and IPTABLES mechanism is a great upgrade for us all. I just need to do the upgrade RIGHT.
Until then, there IS a mode in IPTABLES to support IPCHAINS rulesets. Check it out. I'll see if I can add that into the next revision.
When will this wonderful "howto" include iptables? It'd be nice to have the great support for ipchains available in iptables format.
An open, cross-platform journaling program.
A scientific plotting package.