[nflug] firewall

Robert Meyer meyer_rm at yahoo.com
Thu Jan 12 13:41:42 EST 2006 

I wouldn't try to do IPTables directly.  It's a real bear.  Use something like
shorewall or any of the other firewall configuration tools.  Shorewall is more
geared towards making an external firewall, rather than firewalling a server
internally.

Anybody have any ideas of config tools for using a server as it's own firewall?
 Something I probably should know about, too.

Cheers!

Bob

--- Eric Benoit <ebenoit at hopevale.com> wrote:

> I'm thinking maybe just configuring iptables instead of shorewall might 
> be easier, but oh well I just want this to be done and cannot find any 
> good documentation on it ...does anyone know of website that delves into 
> iptables ...just port stuff  I don't care about the other stuff ...like 
> Rob said I just want to worry a little bit :)
> 
> Eric Benoit wrote:
> > I'm using shorewall for iptables,how does this look for a webserver?
> >         
> > 
> > Action          Source     Destination     Protocol    Destination ports
> > 
> > AllowWeb:ULOG    net       $FW               tcp           80,443
> > 
> > 
> > for Source ports I put any
> > 
> > 
> > Robert Meyer wrote:
> > 
> >> Tnen don't enable it.  General rules for firewalls on the outside 
> >> world: Don't
> >> open any port that you don't need to use.
> >>
> >> In general, I prefer to have a separate firewall.  The firewall would 
> >> only be
> >> running IPTABLES and nothing else.  This leaves no ports available on the
> >> firewall itself to exploit so it's harder to compromise it.  Then put 
> >> all of
> >> your servers behind the firewall.  You can then control the allowable 
> >> ports and
> >> not have to worry as much about the servers themselves.  Note that I'm 
> >> not
> >> saying that you *don't* have to worry; you just have to worry less.
> >>
> >> Cheers!
> >>
> >> Bob
> >>
> >> --- Eric Benoit <ebenoit at hopevale.com> wrote:
> >>
> >>
> >>> I'm setting up a firewall on a webserver, but I am not sure if I need 
> >>> to allow udp 53 and or tcp 53.  This server will not be a DNS server.
> >>>
> >>> thanks
> >>> _______________________________________________
> >>> nflug mailing list
> >>> nflug at nflug.org
> >>> http://www.nflug.org/mailman/listinfo/nflug
> >>>
> >>
> >>
> >>
> >> __________________________________________________
> >> Do You Yahoo!?
> >> Tired of spam?  Yahoo! Mail has the best spam protection around 
> >> http://mail.yahoo.com _______________________________________________
> >> nflug mailing list
> >> nflug at nflug.org
> >> http://www.nflug.org/mailman/listinfo/nflug
> > 
> > _______________________________________________
> > nflug mailing list
> > nflug at nflug.org
> > http://www.nflug.org/mailman/listinfo/nflug
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list