[nflug] firewall
Eric Benoit
ebenoit at hopevale.com
Thu Jan 12 14:39:49 EST 2006
debian
Cyber Source wrote:
> It couldnt be any easier than firestarter, if your on your FC box, "yum
> install firestarter"
>
> Robert Meyer wrote:
>
>> I wouldn't try to do IPTables directly. It's a real bear. Use
>> something like
>> shorewall or any of the other firewall configuration tools. Shorewall
>> is more
>> geared towards making an external firewall, rather than firewalling a
>> server
>> internally.
>>
>> Anybody have any ideas of config tools for using a server as it's own
>> firewall?
>> Something I probably should know about, too.
>>
>> Cheers!
>>
>> Bob
>>
>> --- Eric Benoit <ebenoit at hopevale.com> wrote:
>>
>>
>>
>>> I'm thinking maybe just configuring iptables instead of shorewall
>>> might be easier, but oh well I just want this to be done and cannot
>>> find any good documentation on it ...does anyone know of website that
>>> delves into iptables ...just port stuff I don't care about the other
>>> stuff ...like Rob said I just want to worry a little bit :)
>>>
>>> Eric Benoit wrote:
>>>
>>>
>>>> I'm using shorewall for iptables,how does this look for a webserver?
>>>>
>>>> Action Source Destination Protocol Destination
>>>> ports
>>>>
>>>> AllowWeb:ULOG net $FW tcp 80,443
>>>>
>>>>
>>>> for Source ports I put any
>>>>
>>>>
>>>> Robert Meyer wrote:
>>>>
>>>>
>>>>
>>>>> Tnen don't enable it. General rules for firewalls on the outside
>>>>> world: Don't
>>>>> open any port that you don't need to use.
>>>>>
>>>>> In general, I prefer to have a separate firewall. The firewall
>>>>> would only be
>>>>> running IPTABLES and nothing else. This leaves no ports available
>>>>> on the
>>>>> firewall itself to exploit so it's harder to compromise it. Then
>>>>> put all of
>>>>> your servers behind the firewall. You can then control the
>>>>> allowable ports and
>>>>> not have to worry as much about the servers themselves. Note that
>>>>> I'm not
>>>>> saying that you *don't* have to worry; you just have to worry less.
>>>>>
>>>>> Cheers!
>>>>>
>>>>> Bob
>>>>>
>>>>> --- Eric Benoit <ebenoit at hopevale.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> I'm setting up a firewall on a webserver, but I am not sure if I
>>>>>> need to allow udp 53 and or tcp 53. This server will not be a DNS
>>>>>> server.
>>>>>>
>>>>>> thanks
>>>>>> _______________________________________________
>>>>>> nflug mailing list
>>>>>> nflug at nflug.org
>>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> __________________________________________________
>>>>> Do You Yahoo!?
>>>>> Tired of spam? Yahoo! Mail has the best spam protection around
>>>>> http://mail.yahoo.com _______________________________________________
>>>>> nflug mailing list
>>>>> nflug at nflug.org
>>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>>
>>>>
>>>> _______________________________________________
>>>> nflug mailing list
>>>> nflug at nflug.org
>>>> http://www.nflug.org/mailman/listinfo/nflug
>>>>
>>>
>>> _______________________________________________
>>> nflug mailing list
>>> nflug at nflug.org
>>> http://www.nflug.org/mailman/listinfo/nflug
>>>
>>>
>>
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com _______________________________________________
>> nflug mailing list
>> nflug at nflug.org
>> http://www.nflug.org/mailman/listinfo/nflug
>>
>>
>>
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug
More information about the nflug
mailing list