opinions on firewall?
Matthew Carpenter
matt
Mon May 17 11:34:40 PDT 2004
I don't think he built this script. It's entirely too pretty in layout.
Building your own script, IMHO opinion, is not that hard, and much easier
to lock down tight. I didn't look at all the internals, but I would
definitely question the amount of ports left open to the world. Outbound
FROM the inside is one thing. To allow internal users to use any ports or
a restricted few is a management decision. Leaving open ports to any
machine wide open from the outside is quite another. Building your own
script allows you to open up udp 53 to DNS servers and ONLY to DNS
servers. I don't have a big problem with SSH being allowed to anything,
so long as you have some sort of IDS function (checking system logs
included). But Port 25 to ANY box? Maybe just the SMTP server. etc....
If you are doing a "my own personal network" script, maybe canned scripts
are ok, but if you are protecting a company network, you will really want
to lock it down to the necessary ports to those boxes needing them... DMZ
is good as well.
So I guess that gets us back to the question: What are you trying to do
with the script?
On Wed, 10 Jul 2002 06:50:39 -0400 (EDT)
"Gerry Doris" <gerry at dorfam.ca> wrote:
> On Tue, 9 Jul 2002, Douglas J Hunley wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > anyone see anything wrong, any holes, incorrect assumptions, room for
> > improvement, etc with the attached iptables script?
> > - --
> > Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
> > Admin: Linux StepByStep - http://www.linux-sxs.org
> > and http://jobs.linux-sxs.org
>
> Instead of building your own script you might want to check out
> Monmotha's iptables script. You can configure it to do most things.
>
> Gerry
> --
>
> "The lyfe so short, the craft so long to learne" Chaucer
>
> _______________________________________________
> Linux-users mailing list -
> http://linux-sxs.org/mailman/listinfo/linux-users
> Subscribe/Unsubscribe info, Archives,and Digests are located at the
> above URL.
More information about the Linux-users
mailing list