[CS-FSLUG] Firewall fights
Ed Hurst
ehurst at asisaid.com
Wed Jan 25 16:30:15 CST 2006
Stephen J. McCracken wrote:
> Well, Redhat puts all it's rules in one RH chain and then calls that
> chain from both the INPUT and FORWARD (which you don't have) chains.
>
> As you could probably already tell, this is not as tight as the other
> firewall. This doesn't block any outgoing packets at all. It allows
> all incoming icmp, multicast port 5353 (dns?), internet printing (udp
> port 631 - cups?), ssh, and all return packets from internally initiated
> connections.
I configured by using the GUI setup created by RH. I'm not sure what to
say about the open ports 5353 and 631; seems to me the destination is an
invalid IP for the 5353, but ssh is something I do intentionally. It's
the best way to shutdown a frozen GUI or I/O lockup by slipping in the
back with my laptop. As for pings, my understanding is SBC filters for
any syn-flooding, etc.
As for blocking outgoing, I'm trying to imagine something on my system
which should be prevented from getting out. Since I don't do NAT, and
only protecting this machine from outside threats from the few things
capable of harming a Linux box, I'm just not sure it matters.
Keep in mind, RH/CentOS comes with SELinux turned on by default.
However, it is poorly configured, and tends to generate a ton of log
messages because it blocks dbus. I haven't read enough about configuring
it to even begin understanding how it works, so I can't do much to fix
it. If I understand correctly, it affects the way the firewall works, so
I'm missing that measure of security.
Either way, this OS offers no hesitation online. That's not simply
head-in-the-sand; it works and I don't know enough to do differently.
Any advice? Anything in that list you'd change?
--
Ed Hurst
----------
Bible Application - http://ed.asisaid.com/bible/index.html
Plain & Simple Computer Help - http://ed.asisaid.com/
Mission, Method & Means - http://ed.asisaid.com/blog/
More information about the Christiansource
mailing list