The rc.UTIN.firewall.txt script will in contrast to the other scripts block the
LAN that is sitting behind us. In other words, we don't
trust anyone on any networks we are connected to. We also disallow people on our
LAN to do anything but specific tasks on the Internet.
The only things we actually allow are POP3,
HTTP and FTP access to the
Internet. We also don't trust the internal users to access the firewall more
than we trust users on the Internet.
The rc.UTIN.firewall.txt script requires the following
options to be compiled statically to the kernel, or as modules. Without one or
more of these, the script will become more or less flawed since parts of the
script's required functionalities will be unusable. As you change the script you
use, you could possibly need more options to be compiled into your kernel
depending on what you want to use.
CONFIG_NETFILTER
CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_IPTABLES
CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_MATCH_STATE
CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT
CONFIG_IP_NF_TARGET_LOG
This script follows the golden rule to not trust anyone, not
even our own employees. This is a sad fact, but a large part of the hacks and
cracks that a company gets hit by are a matter of people from their own staff
perpetrating the hit. This script will hopefully give you some clues as to what
you can do with your firewall to strengthen it. It's not very different from
the original rc.firewall.txt script, but it does give a few
hints at what we would normally let through etc.
