On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Keith Roberts wrote:
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
Its something like this:
Deny all (other) connections
then you add few rules and it looks like this:
Allow service listening on port X Allow service listening on port Y Allow service listening on port Z Allow service coming from IP A (and port W) Allow service coming to IP B (and port U) Deny all (other) connections
Packets are sent through the chain (of the rules like above) and when they hit some rule, desired action is performed and that packet (mostly) stops going down the chain, so it does not hit bottom rule. If packet does not mach any "allow" rule, then it will hit (one of) deny rule and that connection will be terminated.
If you want easy to understand Firewall/router PC based on RHEL/CentOS try ClearOS, and if you want it *on* the CentOS I suggest to check shorewall.
www.shorewall.net is also excellent site to learn about firewalls and routers in general with lot's of examples.
Thanks for that Ljubomir.
I have studies the IPtables docs, and actually have my own rules setup and running in place of the default IP4 & IP6 Centos Rules. I did this mainly for logging purposes - all packet movements were logged to a file for later analysis.
I have turned off most firewall logging now, and I use Wireshark to watch packet movements in real time if I suspect there is a network problem. It's interesting to watch how packets move into and out of the eth0 interface.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------