[CS-FSLUG] Firewall fights

[Ed Hurst]

Stephen J. McCracken wrote:

> Well, Redhat puts all it's rules in one RH chain and then calls that
> chain from both the INPUT and FORWARD (which you don't have) chains.
> 
> As you could probably already tell, this is not as tight as the other
> firewall.  This doesn't block any outgoing packets at all.  It allows
> all incoming icmp, multicast port 5353 (dns?), internet printing (udp
> port 631 - cups?), ssh, and all return packets from internally initiated
> connections.

I configured by using the GUI setup created by RH. I'm not sure what to 
say about the open ports 5353 and 631; seems to me the destination is an 
invalid IP for the 5353, but ssh is something I do intentionally. It's 
the best way to shutdown a frozen GUI or I/O lockup by slipping in the 
back with my laptop. As for pings, my understanding is SBC filters for 
any syn-flooding, etc.

As for blocking outgoing, I'm trying to imagine something on my system 
which should be prevented from getting out. Since I don't do NAT, and 
only protecting this machine from outside threats from the few things 
capable of harming a Linux box, I'm just not sure it matters.

Keep in mind, RH/CentOS comes with SELinux turned on by default. 
However, it is poorly configured, and tends to generate a ton of log 
messages because it blocks dbus. I haven't read enough about configuring 
it to even begin understanding how it works, so I can't do much to fix 
it. If I understand correctly, it affects the way the firewall works, so 
I'm missing that measure of security.

Either way, this OS offers no hesitation online. That's not simply 
head-in-the-sand; it works and I don't know enough to do differently. 
Any advice? Anything in that list you'd change?

-- 
Ed Hurst
----------
Bible Application - http://ed.asisaid.com/bible/index.html
Plain & Simple Computer Help - http://ed.asisaid.com/
Mission, Method & Means - http://ed.asisaid.com/blog/