[CS-FSLUG] Firewall fights
Stephen J. McCracken
smccracken at hcjb.org.ec
Sat Jan 28 12:52:12 CST 2006
Looks, ok. See my interspersed comments.
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
I would change the INPUT policy (and probably FORWARD too) default to
DROP. It's a little safer if you forget and leave out a final DROP or
REJECT at the end of your rules.
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
These next two lines probably aren't needed. Protocols 50 (esp) and 51
(ah) are used for VPNs. It won't hurt, but you probably don't need them.
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
This next line will reply to all rejected packets. If you don't care
about replying and want to save a little bandwidth, use DROP instead of
REJECT.
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
Otherwise, it looks like a good, simple firewall.
sjm
More information about the Christiansource
mailing list