RayMichel -> Thanks a lot for your answer !
Your discussions seem to be about alternative firewall scripts that flush the current configuration, that's why you don't get much support for your approach.
Yes, but that is because I beileve that this is the only way to develop somthing (an improved firewall design) that will fit into the existing structure.
It's like if you are sitting and you want to walk. You first have to rise up, then you can walk. You can not walk when you are sitting.
If you want to develop some firewall stuff you will have to flush out the existing firewall to get started and you will have to do it again and again, when you are doing the developing work.
Then it is possible to do those discussions and to do the exange of experiences that will end up in an well functioning firewall that can be implemented into an existing structure.
As I will se it flushing the existing firewall and discussion with the users is the basic thing you are doing when you are working on a firewall that might be implementet into "technical structure" A or B, when it works.
As I will se it "can not flush" will mean "can not do anything" like "can not rise" will mean "can not walk" when you re sitting in a chair.
I have not understood how anything could be done at all about the firewall in an envirinment where firealls can not be flushed, as the flushing will be the basis for everything else.
When I see the links to the suggestion of Hans_cees is mentioned abovehttp://bugs.contribs.org/attachment.cgi?id=1416 I think I understand a little bit how to set up a suggestion concerning a firewall.
As I will see it the important thing about a firewall design is the dialog and expericences and the feedback from the users.
I tried to do a discussion about firewalls here on this forun for about someting like 2 or 3 years ago, but it did not work in this forum.
At that time I took the general project of devlop such a 3 port firewall for the Centos out to one other web forum to make the required discussion with interested users, to devlop a 3 port firewall with full controll of the trafic between the 3 network segments. We did and it ended up with a 3 port firewall soulution in it basic design not so unlike the one at the sme server or the Hans Cees suggestion. I will se if I am able to find it again on the web and post it in the bugzilla system like the Hans Cees suggestion. I think it should work on the SME 7.2 as well (But I dont know how easy a 3 port mot into the existing template system will be.)
But by the way the Hans Cees suggestion is also based on flushing (and testing):
/sbin/iptables --flush FORWARD
/sbin/iptables --flush INPUT
/sbin/iptables --flush OUTPUT
.. as I think practically all Linux firewalls are.
************************
Something here:
http://www.eksperten.dk/spm/541674(This firewall will not work directely on the SME server as it is a stright forward firewall gateway design where the gateway is without server functions.)
************************
This was obviosly a gateway design we did at that time. It needs some rework to be adapted to a server gateway.
But I did just now and I posting trough the old firewall from 2004 on my new 2007 model 3 port sme 7.2 server gateway.
If things were easy in this world we could just revork the old 2004 firewall a bit more and post it here. It could have been done some debugging and discussions and possibly someone could come up with some automated configuration tool (Actually I have started to make one myself based on php as I don't know Perl at all.)
As things were developed and checked for proper functinality we could then have looked into the problems how to implement a 3 port firewall (or any firewall) into the template system. A text based configuration tool for two or tree nic's could have been up within days. Some kind of web based configuration tool could have been there within a month or two.
But things are not that easy, I guess.