[CentOS] firewall?
Keith Roberts
keith at karsites.net
Sat Jul 16 17:20:44 UTC 2011
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
> To: CentOS mailing list <centos at centos.org>
> From: Ljubomir Ljubojevic <office at plnet.rs>
> Subject: Re: [CentOS] firewall?
>
> Keith Roberts wrote:
>> On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
>>
>> *snip*
>>
>>> I wrote about "physical presence *outside* of your network", like if you
>>> are on a large WISP that uses bridged network (bad design) and your
>>> Wireless client is bridged, and you have single NIC firewall in place,
>>> entire WISP's network will be able to sniff your traffic and hack into
>>> unprotected workstations/desktops. And there are those scenarios, much
>>> more then you can think.
>>
>> Which is why one poster mentioned that you need to be
>> familiar with IPtables and Networking before trying to make
>> your machine(s) network(s) secure?
>>
>> I read some time ago something about tunneling different
>> protocols through firewalls? which sounded quite scary.
>>
>
> All firewalls (on Linux at least) are by default closed, and you need
> knowledge to punch through the wholes for your public services.
>
> Its something like this:
>
> Deny all (other) connections
>
> then you add few rules and it looks like this:
>
> Allow service listening on port X
> Allow service listening on port Y
> Allow service listening on port Z
> Allow service coming from IP A (and port W)
> Allow service coming to IP B (and port U)
> Deny all (other) connections
>
> Packets are sent through the chain (of the rules like above) and when
> they hit some rule, desired action is performed and that packet (mostly)
> stops going down the chain, so it does not hit bottom rule. If packet
> does not mach any "allow" rule, then it will hit (one of) deny rule and
> that connection will be terminated.
>
> If you want easy to understand Firewall/router PC based on RHEL/CentOS
> try ClearOS, and if you want it *on* the CentOS I suggest to check
> shorewall.
>
> www.shorewall.net is also excellent site to learn about firewalls and
> routers in general with lot's of examples.
Thanks for that Ljubomir.
I have studies the IPtables docs, and actually have my own
rules setup and running in place of the default IP4 & IP6
Centos Rules. I did this mainly for logging purposes - all
packet movements were logged to a file for later analysis.
I have turned off most firewall logging now, and I use
Wireshark to watch packet movements in real time if I
suspect there is a network problem. It's interesting to
watch how packets move into and out of the eth0 interface.
Kind Regards,
Keith Roberts
-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
More information about the CentOS
mailing list