[CentOS] setup firewall with 3 nic cards
James A. Peltier
jpeltier at fas.sfu.ca
Fri May 21 19:54:37 UTC 2010
On Wed, 19 May 2010, J.Witvliet at mindef.nl wrote:
> Hi Jerry,
>
> Just a general remark.
> When deploying a firewall, it is advisable to have (atleast for input, better for all) to have the general policy set to drop, and only allow in what you expect to be coming in. If you put a "-j log" line as a final line for each section, you'll see every packet you forgot about...
>
> Now the default is "allow", and only doing some SNAT and DNAT rules...
>
> hw
And as a follow up remark, it would be advisable to have a network policy
in place that will help to define your rules. For example within a
university environment like mine, we allow everything in by default except
those services for which we want to explicitly block. Those that we want
to explicitly block are documented and we run tests to ensure that our
firewall is working as expected on a regular basis.
Define your "business rules" first and make your firewall rules follow
suit.
--
James A. Peltier
Systems Analyst (FASNet), VIVARIUM Technical Director
HPC Coordinator
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier at sfu.ca
Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca
http://blogs.sfu.ca/people/jpeltier
MSN : subatomic_spam at hotmail.com
TEAMWORK
There's power in numbers. Learn to work together.
More information about the CentOS
mailing list