[CS-FSLUG] Firewall fights
Stephen J. McCracken
smccracken at hcjb.org.ec
Wed Jan 25 17:09:38 CST 2006
> Keep in mind, RH/CentOS comes with SELinux turned on by default.
> However, it is poorly configured, and tends to generate a ton of log
> messages because it blocks dbus. I haven't read enough about configuring
> it to even begin understanding how it works, so I can't do much to fix
I haven't read up on it, either. Wouldn't have a clue.
> Either way, this OS offers no hesitation online. That's not simply
> head-in-the-sand; it works and I don't know enough to do differently.
> Any advice? Anything in that list you'd change?
I'd probably rework it slightly so I could understand it better. It all
depends on what you want to know/see. Do you want to log things so
check up on what's happening? (CentOS isn't logging anything.) Do you
ssh in from anywhere or only a few know IP addresses? Do you care if
others can ping your address? Are you behind a NAT firewall?
Personally, I would probably change things to end up with the below for
now. It's far simplier and probably exactly the same for what you are doing.
--------------
# Generated by iptables-save -- modified by sjm 2006.01.25
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# Change the line below if you don't want to reply back and tell
# them that they've been rejected to
#-A INPUT -j DROP
# or just comment it out as the default DROP policy does the same
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
More information about the Christiansource
mailing list