On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. But if you have propper firewall rules in place to block incoming traffic from the public IP going to the private IP then it's very safe.
You are looking only at the safety of the server, not the whole network.
In case od ADSL modems *with NAT-ing* you already have firewall in form as ADSL modem, and you are safe.
That's exactly how my Thompson ADSL router works. By defalut it blocks any connections coming in from the outside internet IP address.
To open a port I have to login to the router, and create NAPT rule that links an outside port to a machine and port on the LAN side of the router.
I did have port 80 NAPT's this way, but now I have removed that rule, as my websites are hosted on a cloud in a proper data center.
So what with the router firewall and then the Linux Kernel IPtables packet filtering firewall, I actually have two firewalls running?
For checking open/closed ports from the outside, I go to www.grc.com and let their machine do a 'Shields Up' scan of my machine.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------