[CentOS] Not firewall, but what?
Gordon Messmer
yinyang at eburg.com
Tue May 11 00:40:49 UTC 2010
On 05/10/2010 06:20 AM, Kahlil Hodgson wrote:
> This gives me a very clean and clear separation between inside my
> network and outside, and no one outside my network is going to see my
> RFC1918 address space.
I weep every time I see someone advocate NAT for security reasons. It's
ridiculous.
Routing policy is definitely required for a multi-homed system such as
Jussi presented, but NAT is totally superfluous. It adds an extra layer
of complexity that makes the system more difficult to diagnose and
configure, and contributes nothing of value in return.
John Pierce's advice was simple and correct. If you don't want to set
up ifup-post scripts of your own, you can use shorewall. Shorewall is
actually more complex, but you don't have to understand much about the
"ip" tool to use it.
For shorewall, you'd need the following files:
interfaces:
inet eth0 - norfc1918,nosmurfs,tcpflags
inet eth1 - norfc1918,nosmurfs,tcpflags
lan virbr0 - dhcp
zones:
fw firewall
inet ipv4
lan ipv4
policy:
$FW all ACCEPT
inet inet DROP
all inet ACCEPT
all all REJECT info
providers:
isp0 1 1 main eth0 62.236.221.78 track,balance
isp1 2 2 main eth1 62.220.237.126 track,balance
route_rules:
lo - isp0 11000
eth0 - isp0 11000
eth1 - isp1 11000
virbr0 - isp1 11000
More information about the CentOS
mailing list