[CentOS] Default Firewall Entries
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Apr 11 14:00:05 UTC 2005
Johnny Hughes wrote:
> SO ... if the box needs to do either mDNS or CUPS printer browsing, you
> need them enabled. If not, you can remove them.
And system-config-securitylevel is going to add them again next time it
is run. IMO, the best is to remove system-config-securitylevel and do
firewall configuration manually. The stuff that
system-config-securitylevel is writing into /etc/sysconfig/iptables
isn't exactly tight anyhow. It treats INPUT and FORWARD about the same,
no per-interface controll, no source address controll (do you really
want to enable ssh access from Internet?), weak controll of ICMP (why
allow non-related ICMP messages?), no TCP flags checks, allows RELATED
stuff without further checks... just to name few things that are a must
in any half-decent Linux/Netfilter based firewall configuration...
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the CentOS
mailing list