[nflug] firewall
Cyber Source
peter at thecybersource.com
Thu Jan 12 14:40:38 EST 2006
It couldnt be any easier than firestarter, if your on your FC box, "yum
install firestarter"
Robert Meyer wrote:
>I wouldn't try to do IPTables directly. It's a real bear. Use something like
>shorewall or any of the other firewall configuration tools. Shorewall is more
>geared towards making an external firewall, rather than firewalling a server
>internally.
>
>Anybody have any ideas of config tools for using a server as it's own firewall?
> Something I probably should know about, too.
>
>Cheers!
>
>Bob
>
>--- Eric Benoit <ebenoit at hopevale.com> wrote:
>
>
>
>>I'm thinking maybe just configuring iptables instead of shorewall might
>>be easier, but oh well I just want this to be done and cannot find any
>>good documentation on it ...does anyone know of website that delves into
>>iptables ...just port stuff I don't care about the other stuff ...like
>>Rob said I just want to worry a little bit :)
>>
>>Eric Benoit wrote:
>>
>>
>>>I'm using shorewall for iptables,how does this look for a webserver?
>>>
>>>
>>>Action Source Destination Protocol Destination ports
>>>
>>>AllowWeb:ULOG net $FW tcp 80,443
>>>
>>>
>>>for Source ports I put any
>>>
>>>
>>>Robert Meyer wrote:
>>>
>>>
>>>
>>>>Tnen don't enable it. General rules for firewalls on the outside
>>>>world: Don't
>>>>open any port that you don't need to use.
>>>>
>>>>In general, I prefer to have a separate firewall. The firewall would
>>>>only be
>>>>running IPTABLES and nothing else. This leaves no ports available on the
>>>>firewall itself to exploit so it's harder to compromise it. Then put
>>>>all of
>>>>your servers behind the firewall. You can then control the allowable
>>>>ports and
>>>>not have to worry as much about the servers themselves. Note that I'm
>>>>not
>>>>saying that you *don't* have to worry; you just have to worry less.
>>>>
>>>>Cheers!
>>>>
>>>>Bob
>>>>
>>>>--- Eric Benoit <ebenoit at hopevale.com> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>>I'm setting up a firewall on a webserver, but I am not sure if I need
>>>>>to allow udp 53 and or tcp 53. This server will not be a DNS server.
>>>>>
>>>>>thanks
>>>>>_______________________________________________
>>>>>nflug mailing list
>>>>>nflug at nflug.org
>>>>>http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>>
>>>>>
>>>>
>>>>__________________________________________________
>>>>Do You Yahoo!?
>>>>Tired of spam? Yahoo! Mail has the best spam protection around
>>>>http://mail.yahoo.com _______________________________________________
>>>>nflug mailing list
>>>>nflug at nflug.org
>>>>http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>>
>>>_______________________________________________
>>>nflug mailing list
>>>nflug at nflug.org
>>>http://www.nflug.org/mailman/listinfo/nflug
>>>
>>>
>>_______________________________________________
>>nflug mailing list
>>nflug at nflug.org
>>http://www.nflug.org/mailman/listinfo/nflug
>>
>>
>>
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>nflug mailing list
>nflug at nflug.org
>http://www.nflug.org/mailman/listinfo/nflug
>
>
>
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list