Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you
On 7/15/11, hadi motamedi motamedi24@gmail.com wrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you
Hadi;
Under most circumstances, CentOS 5.6 should come with the software you need: iptables (and, possibly, iptables-ipv6).
There's a wealth of information about configuring iptables on Google. To get you started, this looks like an interesting overview: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-fw.html
Also, if you get daring and want to try writing rules for yourself, Mike Harris has a nice template configuration for iptables: http://mharris.ca/iptables/mharris-iptables-example-config-1.2.txt
Read up on iptables, understand the concepts behind it. This is a good thing to take slow if you're not familiar with it. Security is not to be rushed. :)
Cheers, Cody Jackson
On 7/16/11, Cody Jackson supertanker13@gmail.com wrote:
On 7/15/11, hadi motamedi motamedi24@gmail.com wrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you
Hadi;
Under most circumstances, CentOS 5.6 should come with the software you need: iptables (and, possibly, iptables-ipv6).
There's a wealth of information about configuring iptables on Google. To get you started, this looks like an interesting overview: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-fw.html
Also, if you get daring and want to try writing rules for yourself, Mike Harris has a nice template configuration for iptables: http://mharris.ca/iptables/mharris-iptables-example-config-1.2.txt
Read up on iptables, understand the concepts behind it. This is a good thing to take slow if you're not familiar with it. Security is not to be rushed. :)
Cheers, Cody Jackson _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you very much for your reply. For the basic configuration and before setting any rules on INPUT from iptables,please consider the following IP address configuration on my nodes: centos 5.6 server eth0 @192.168.10.114 centos 5.6 server eth0:1@172.18.128.1 windows node @172.18.209.1 The centos 5.6 server is now connected to the Internet. With respect to the above configuration, can you please let me know how can I just forward Internet traffic right from my centos connected to the net toward the windows node machine and thus enabling the windows machine to have Internet service (without any iptables rules set at the moment)? After this basic configuration, I will try to set the required security rules to secure my windows node through centos 5.6 connected server.
On 07/15/11 9:57 PM, hadi motamedi wrote:
Read up on iptables, understand the concepts behind it. This is a good thing to take slow if you're not familiar with it. Security is not to be rushed. :)
which part of that did you not understand?
On 7/16/11, John R Pierce pierce@hogranch.com wrote:
On 07/15/11 9:57 PM, hadi motamedi wrote:
Read up on iptables, understand the concepts behind it. This is a good thing to take slow if you're not familiar with it. Security is not to be rushed. :)
which part of that did you not understand?
-- john r pierce N 37, W 122 santa cruz ca mid-left coast
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry. I just didn't get the basic configuration. I mean enabling the windows machine to get Internet service from the centos connected server (with respect to the ip configuration sent). I am now reading the iptables manual and I understand on how to set the required security rules after getting the above basic configuration. Please just give me a hint on the basic configuration. Thank you in advance
On 07/15/11 10:07 PM, hadi motamedi wrote:
Sorry. I just didn't get the basic configuration. I mean enabling the windows machine to get Internet service from the centos connected server (with respect to the ip configuration sent). I am now reading the iptables manual and I understand on how to set the required security rules after getting the above basic configuration. Please just give me a hint on the basic configuration.
first, you should have two separate physical interfaces, not the same interface like eth0 and eth0:1
internet to eth0 and local area network to eth1
configure iptables rules to implement "NAT" (network address translation) also known as 'IP Masquerade'. you typically have the load the ip masq connection tracking module too. Any howto or readme on iptables and linux firewalling should explain how to do this.
if you want someone to write the rules for you, I suggest you hire them.
You can use pretty standard tools:- iptables etc. You just need a minimum sever install with maybe some web based GUI to manage the box from other machines. You can have a look at webmin (www.webmin.com) which offers nice web interface and is popular in hosting industry as free admin web ui.
- SZQ
On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamedi24@gmail.comwrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 7/16/11, SZ Quadri sz@quadri.in wrote:
You can use pretty standard tools:- iptables etc. You just need a minimum sever install with maybe some web based GUI to manage the box from other machines. You can have a look at webmin (www.webmin.com) which offers nice web interface and is popular in hosting industry as free admin web ui.
- SZQ
On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamedi24@gmail.comwrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for your help. I tried to get it as 'yum install webadmin*' but unsuccessful. Can you please confirm if the spelling is correct?
hadi motamedi wrote:
On 7/16/11, SZ Quadri sz@quadri.in wrote:
You can use pretty standard tools:- iptables etc. You just need a minimum sever install with maybe some web based GUI to manage the box from other machines. You can have a look at webmin (www.webmin.com) which offers nice web interface and is popular in hosting industry as free admin web ui.
- SZQ
On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamedi24@gmail.comwrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for your help. I tried to get it as 'yum install webadmin*' but unsuccessful. Can you please confirm if the spelling is correct? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It is webmin, and it is not part of base repository. Visit http://www.webmin.com, read about it and then download it by clicking on the "Rpm" link on the right. There is installation procedure explained on the web site
Note: Read carefully so you know what and how things are done, and install only the rpm version.
Ljubomir
On Sat, 2011-07-16 at 14:56 +0430, hadi motamedi wrote:
<snip>
Thank you for your help. I tried to get it as 'yum install webadmin*' but unsuccessful. Can you please confirm if the spelling is correct?
Google is your friend. A simple search would have revealed:
http://www.webmin.com/download.html
B.J.
CentOS Linux release 6.0 (Final)
Do this: 1. Make sure your Centos has two network card. One connected to internet, one to local lan. Make sure the Centos can already browsing internet. Example internet: eth0 192.168.1.1 local: eth1 192.168.2.1
2. Activate ip forwarding in /etc/sysconfig/sysctl.conf net.ipv4.ip_forward = 1
Run sysctl -r to reload the new setting
3. Type this iptables command to share internet: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
4. Set your windows box to use 192.168.2.1 as it's default gateway. Don't forget to give it DNS too like 8.8.8.8
5. I'd suggest you join your Linux Local User Group to have more help.
On Sat, Jul 16, 2011 at 7:11 PM, Fajar Priyanto fajarpri@arinet.org wrote:
- Activate ip forwarding in /etc/sysconfig/sysctl.conf
net.ipv4.ip_forward = 1
Run sysctl -r to reload the new setting
typo: should be sysctl -p
Fajar Priyanto wrote:
Do this:
- Make sure your Centos has two network card. One connected to
internet, one to local lan. Make sure the Centos can already browsing internet. Example internet: eth0 192.168.1.1 local: eth1 192.168.2.1
Just as a FYI, shorewall does support single NIC systems, and it also supports Multiple Internet connection scenarios.
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
Ljubomir
On Sat, Jul 16, 2011 at 1:46 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Fajar Priyanto wrote:
Do this:
- Make sure your Centos has two network card. One connected to
internet, one to local lan. Make sure the Centos can already browsing internet. Example internet: eth0 192.168.1.1 local: eth1 192.168.2.1
Just as a FYI, shorewall does support single NIC systems, and it also supports Multiple Internet connection scenarios.
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
Ljubomir
How exactly is it unsafe?
On Sat, Jul 16, 2011 at 01:46:36PM +0200, Ljubomir Ljubojevic wrote:
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
So I shouldn't run a firewall on any of my hundreds of single nic instances?
John
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
So I shouldn't run a firewall on any of my hundreds of single nic instances?
I think he's referring to the standard router/firewall scenario where the server is an internet gateway for a network. There I'd consider a single interface system as inherently insecure.
On Sat, Jul 16, 2011 at 2:01 PM, Drew drew.kay@gmail.com wrote:
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
So I shouldn't run a firewall on any of my hundreds of single nic instances?
I think he's referring to the standard router/firewall scenario where the server is an internet gateway for a network. There I'd consider a single interface system as inherently insecure.
-- Drew
"Nothing in life is to be feared. It is only to be understood." --Marie Curie _______________________________________________
well there's no real reason why a single NIC firewall should be insecure. We're all referring a normal PC (or even server) with CentOS installed on it, not a commercial firewall.
If you setup different IP subnets on the same NIC and routing between them, the same way as between 2 NIC's then you'll still have the same level of firewalling. And I'm sure you could setup VLAN's on the switch for the different IP subnets to make it more secure as well.
The one place where this is commonly used is with a PPPoE ADSL switch where the ADSL "firewall" establishes the PPPoE connection and then shares the internet to the LAN as well using the same ADSL modem's wifi connection.
On Sat, 16 Jul 2011, John R. Dennison wrote:
To: centos@centos.org From: John R. Dennison jrd@gerdesas.com Subject: Re: [CentOS] firewall?
On Sat, Jul 16, 2011 at 01:46:36PM +0200, Ljubomir Ljubojevic wrote:
That being said, one should *never* create firewall with only one NIC! It is highly unsafe.
So I shouldn't run a firewall on any of my hundreds of single nic instances?
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Having firewall, as a software, running on the PC/server is good practice, sometimes even in the local environment, if you use it in the network that "external" people will hook up their PC's to and you have important data on it. Rare cases, but do exist. Better safe then sorry.
Ljubomir
On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. But if you have propper firewall rules in place to block incoming traffic from the public IP going to the private IP then it's very safe.
Ljubomir _______________________________________________
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. But if you have propper firewall rules in place to block incoming traffic from the public IP going to the private IP then it's very safe.
You are looking only at the safety of the server, not the whole network.
In case od ADSL modems *with NAT-ing* you already have firewall in form as ADSL modem, and you are safe.
But if you have public network passing through local area switch, then there is possibility o hackers using lower network layers to access unprotected PC's on that local network. Not long-distance hackers, but in case of physical presence outside of your network they could assign virtual IP to the MAC addresses of your PC's and access it directly that way, not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
Ljubomir
On Sat, Jul 16, 2011 at 2:44 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
But if you have public network passing through local area switch, then there is possibility o hackers using lower network layers to access unprotected PC's on that local network. Not long-distance hackers, but in case of physical presence outside of your network they could assign virtual IP to the MAC addresses of your PC's and access it directly that way, not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
Ljubomir _______________________________________________
"local hackers" is a matter all on it's own :) I have seen many cases on clients networks where they use an expensive commercial firewall (brand doesn't matter here, but let's say for example Cyberoam, Cisco, HP etc) and still have problems with "hackers on the local LAN" cause they didn't think of setting up propper security on the LAN as well.
The fact is, you can use a Linux firwall with a single NIC, as long as you use different IP subnets and strong iptables rules to filter traffic properly between the 2 subnets.
another scenarion where this is used more and more these days is with virtualization, where you won't have different NIC's for each virtual server on the same physical server. The only way to firewall that traffic is to use iptables and VLAN's. And many many hosting companies use virtual hosting for their clients.
Rudi Ahlers wrote:
The fact is, you can use a Linux firwall with a single NIC, as long as you use different IP subnets and strong iptables rules to filter traffic properly between the 2 subnets.
another scenarion where this is used more and more these days is with virtualization, where you won't have different NIC's for each virtual server on the same physical server. The only way to firewall that traffic is to use iptables and VLAN's. And many many hosting companies use virtual hosting for their clients.
This type of setup has many caveats any it is best for the sake of newbies/noobs to say it is doable but dangerous. I know you will agree with me on this.
Those well versed in networking (should) already know all about securing this schema, and can do as they like.
Ljubomir
not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
That I think is the biggest danger with a one NIC setup.
Linux boxen may be safe(r) (then windows) from being infected or hacked but just one malicious machine can bypass the security in place if you don't logically *and* physically separate your subnets.
On Sat, Jul 16, 2011 at 2:56 PM, Drew drew.kay@gmail.com wrote:
not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
That I think is the biggest danger with a one NIC setup.
Linux boxen may be safe(r) (then windows) from being infected or hacked but just one malicious machine can bypass the security in place if you don't logically *and* physically separate your subnets.
-- Drew
You can have the same problem with a multi-NIC firewall, by the way.
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 2:56 PM, Drew drew.kay@gmail.com wrote:
not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
That I think is the biggest danger with a one NIC setup.
Linux boxen may be safe(r) (then windows) from being infected or hacked but just one malicious machine can bypass the security in place if you don't logically *and* physically separate your subnets.
-- Drew
You can have the same problem with a multi-NIC firewall, by the way.
If you secure that firewall unit facing internet *properly*, you are safe from outside. This is not the case with the setup I described.
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Ljubomir
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Keith Roberts wrote:
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
Its something like this:
Deny all (other) connections
then you add few rules and it looks like this:
Allow service listening on port X Allow service listening on port Y Allow service listening on port Z Allow service coming from IP A (and port W) Allow service coming to IP B (and port U) Deny all (other) connections
Packets are sent through the chain (of the rules like above) and when they hit some rule, desired action is performed and that packet (mostly) stops going down the chain, so it does not hit bottom rule. If packet does not mach any "allow" rule, then it will hit (one of) deny rule and that connection will be terminated.
If you want easy to understand Firewall/router PC based on RHEL/CentOS try ClearOS, and if you want it *on* the CentOS I suggest to check shorewall.
www.shorewall.net is also excellent site to learn about firewalls and routers in general with lot's of examples.
Ljubomir
On 16.7.2011 19:03, Ljubomir Ljubojevic wrote:
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
This is complete nonsense! You are free to configure a default policy of accept and forbid only selected services.
-- Kind Regards, Markus
Markus Falb wrote:
On 16.7.2011 19:03, Ljubomir Ljubojevic wrote:
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
This is complete nonsense! You are free to configure a default policy of accept and forbid only selected services.
Please do not pull sentences out of context. Keith wrote:
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
and I replied in the sense that he only needs to turn his firewall ON to be secure. "by default" means exactly that, I was not writing about you being able to change *default* configuration!
If you turn firewall ON (in GUI for example, and especially in RHEL/CentOS ), without any allowed service, your system/network will be protected. If you do allow some services, the rest of the services on your system/network will be protected.
Ljubomir
On 16.7.2011 19:37, Ljubomir Ljubojevic wrote:
Markus Falb wrote:
On 16.7.2011 19:03, Ljubomir Ljubojevic wrote:
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
This is complete nonsense! You are free to configure a default policy of accept and forbid only selected services.
Please do not pull sentences out of context. Keith wrote:
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
and I replied in the sense that he only needs to turn his firewall ON to be secure. "by default" means exactly that, I was not writing about you being able to change *default* configuration!
If you turn firewall ON (in GUI for example, and especially in RHEL/CentOS ), without any allowed service, your system/network will be protected. If you do allow some services, the rest of the services on your system/network will be protected.
So now you are talking about turning firewall on yourself manually (in GUI for example) ? Uh, not my definition of default.
Anyway, problem here might be that the term "default" is overloaded. You were talking of defaults in linux firewalls generally. Now you are talking about default behaviour of some tools not further specified. I remember third party tools like shorewall beeing mentioned and there exist others like fwbuilder and possibly others that you and I never heard of and possibly with unheard default settings. But you could also refer to a "default install". With respect to RHEL/CentOS you are talking about anaconda only then.
With anaconda one can miss to enable firewall easily. On could get hands on a already installed system. Imagine there is no iptables installed. How do you activate firewall ? Something like that ?
# yum install iptables # service iptables start
What have you now ? Nothing. Default policies (finally we have another meaning of default) with ACCEPT and no rules. One has to do rules himself. No defaults.
Markus Falb wrote:
On 16.7.2011 19:37, Ljubomir Ljubojevic wrote:
Markus Falb wrote:
On 16.7.2011 19:03, Ljubomir Ljubojevic wrote:
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
This is complete nonsense! You are free to configure a default policy of accept and forbid only selected services.
Please do not pull sentences out of context. Keith wrote:
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
and I replied in the sense that he only needs to turn his firewall ON to be secure. "by default" means exactly that, I was not writing about you being able to change *default* configuration!
If you turn firewall ON (in GUI for example, and especially in RHEL/CentOS ), without any allowed service, your system/network will be protected. If you do allow some services, the rest of the services on your system/network will be protected.
So now you are talking about turning firewall on yourself manually (in GUI for example) ? Uh, not my definition of default.
Anyway, problem here might be that the term "default" is overloaded. You were talking of defaults in linux firewalls generally. Now you are talking about default behaviour of some tools not further specified. I remember third party tools like shorewall beeing mentioned and there exist others like fwbuilder and possibly others that you and I never heard of and possibly with unheard default settings. But you could also refer to a "default install". With respect to RHEL/CentOS you are talking about anaconda only then.
With anaconda one can miss to enable firewall easily. On could get hands on a already installed system. Imagine there is no iptables installed. How do you activate firewall ? Something like that ?
# yum install iptables # service iptables start
What have you now ? Nothing. Default policies (finally we have another meaning of default) with ACCEPT and no rules. One has to do rules himself. No defaults.
If you have no iptables, then you do not have firewall software either. How many beginners do you know that install with kickstart files? When you install CentOS manually, using default server template, you will get iptables and firewall (In GUI under System->Administration->Security level and Firewall). If you turn it ON, activate it, you will be protected, and you do not need to know iptables to *be* safe. Similar thing is on Fedora, Ubuntu/Mint and I guess Debian
That is what I call default firewall on default installation (just click next to accept default role of the system as "Server"). And just activating firewall (enabling it) will make your system secure.
If there is any other definition of default then "accepting offered option/setting", please enlighten me so I can learn new vocabulary.
Ljubomir
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Keith Roberts wrote:
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
All firewalls (on Linux at least) are by default closed, and you need knowledge to punch through the wholes for your public services.
Its something like this:
Deny all (other) connections
then you add few rules and it looks like this:
Allow service listening on port X Allow service listening on port Y Allow service listening on port Z Allow service coming from IP A (and port W) Allow service coming to IP B (and port U) Deny all (other) connections
Packets are sent through the chain (of the rules like above) and when they hit some rule, desired action is performed and that packet (mostly) stops going down the chain, so it does not hit bottom rule. If packet does not mach any "allow" rule, then it will hit (one of) deny rule and that connection will be terminated.
If you want easy to understand Firewall/router PC based on RHEL/CentOS try ClearOS, and if you want it *on* the CentOS I suggest to check shorewall.
www.shorewall.net is also excellent site to learn about firewalls and routers in general with lot's of examples.
Thanks for that Ljubomir.
I have studies the IPtables docs, and actually have my own rules setup and running in place of the default IP4 & IP6 Centos Rules. I did this mainly for logging purposes - all packet movements were logged to a file for later analysis.
I have turned off most firewall logging now, and I use Wireshark to watch packet movements in real time if I suspect there is a network problem. It's interesting to watch how packets move into and out of the eth0 interface.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Keith Roberts wrote:
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
Depends on the tunneling protocol you use, and on what platform you are using.
For example, I use vtund package (server-client shema) with simple config to connect to my network with a "long LAN cable" going through internet and giving me access to my fully routed network with dozens of routers/hops.
And only server has to have public IP with open vtund port.
Once created it will reconnect if link was broken.
There is also OpenVPN from more used protocol.
Anly thing you need to watch for is routing, telling systems on both sides what subnets they can see on the other side of the link, but it is also part of the protocol config, or you can even use dynamic routing.
If you use standalone tunneling devices, setting boils down to configuring via web config by adding parameters.
Ljubomir
On Sat, 16 Jul 2011, Keith Roberts wrote:
To: CentOS mailing list centos@centos.org From: Keith Roberts keith@karsites.net Subject: Re: [CentOS] firewall?
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
This is what I was refering to:
Data Driven Attacks Using HTTP Tunneling
"... HTTP Tunneling Example
HTTP tunneling can be used to access ports that are normally inaccessible from a network. Consider Figure 1 below. The attacker's host is shown on the left with the target systems on the right. The router at the edge has the following policies:"
http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunn...
Sounds a bit scary to me, as any website needs to have port 80 open to allow access to that website.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On Sat, 2011-07-16 at 23:43 +0100, Keith Roberts wrote:
Data Driven Attacks Using HTTP Tunneling
"... HTTP Tunneling Example
http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunn...
Sounds a bit scary to me, as any website needs to have port 80 open to allow access to that website.
Do not forget that Symantec is a commercial entity trying to make money (perhaps by scaring people?).
If you have a public web site, then your IPtables should let in traffic on ONLY the allocated IP address and port(s) defined in your Apache configuration file. Do not allow access from a range of IP addresses, allocate one IP address for your web site and enforce that both in IPtables and in the Apache configuration. Ditto port(s). In you are only using port 80 ensure all other ports are OFF or not allocated (Listen) in Apache. Allow-in via IPtables one IP address and port 80.
If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard ports. Allocate a different IP address (if you have several) and use a non-web IP address for SSH and a different non-web IP address for phpmyadmin etc. WITH non-standard ports (you can go as high as about 64000). Also consider ONLY allowing access from predefined static IP addresses (under your control). Do not make it easy for the hackers. Give them a difficult time.
On Sun, Jul 17, 2011 at 12:03:52AM +0100, Always Learning wrote:
If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard ports. Allocate a different IP address (if you have several) and use a non-web IP address for SSH and a different non-web IP address for phpmyadmin etc. WITH non-standard ports (you can go as high as about 64000). Also consider ONLY allowing access from predefined static IP addresses (under your control). Do not make it easy for the hackers.
The reality of the situation is that attacks are in almost all cases non-targeted and are the results of automated scanning; playing security through obscurity tricks with IP addresses is as futile as attempting to herd kittens.
You should not be running ftp at all; ftp should be allowed to die off as it's insecure just as is any protocol that transits credentials on the wire in plaintext. ftps is better; sftp/scp/rsync is better still.
phpmyadmin is a recipe for tears of blood; moving ports is better than leaving it on 80/tcp, but better would be to not run it at all on a routable IP.
In the cases of a targeted attack the attacker(s) will find your services no matter what ports you have them hanging off of.
And TCP port numbers range from 0 to 65535.
John
On Sat, 2011-07-16 at 19:03 -0500, John R. Dennison wrote:
The reality of the situation is that attacks are in almost all cases non-targeted and are the results of automated scanning; playing security through obscurity tricks with IP addresses is as futile as attempting to herd kittens.
In reality the hackers never, in my experience, scan the entire port range of every IP address. They tend to chose the most likely ports as my daily Logwatch reports continue to show (iptables log attempts before dropping them).
You should not be running ftp at all; ftp should be allowed to die off as it's insecure just as is any protocol that transits credentials on the wire in plaintext. ftps is better; sftp/scp/rsync is better still.
Thanks for the tip. Access is restricted to 3 IPs. I'll investigate SFTP, SCP and Rsync.
phpmyadmin is a recipe for tears of blood; moving ports is better than leaving it on 80/tcp, but better would be to not run it at all on a routable IP.
It can be accessed only from 3 static IPs using https on a non-standard port and it is never in the same file hierarchy as web pages. Web pages are in their own 'root' structure and not in /var. Nothing private or sensitive can be accessed by http.
In the cases of a targeted attack the attacker(s) will find your services no matter what ports you have them hanging off of.
True. So far no one has bothered to target me, except for the annoying email spammers who never get pass the defences.
And TCP port numbers range from 0 to 65535.
256^2
On Sun, 17 Jul 2011, Always Learning wrote:
If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard ports. Allocate a different IP address (if you have several) and use a non-web IP address for SSH and a different non-web IP address for phpmyadmin etc. WITH non-standard ports (you can go as high as about 64000). Also consider ONLY allowing access from predefined static IP addresses (under your control). Do not make it easy for the hackers. Give them a difficult time.
Running on non-default ports (especially high numbered ports) always strikes me as the wrong way of doing things. You've come out of the admin shelter of low ports meaning you're now vulnerable to local attacks - if I can make ftp (one of your examples) crash, I can potentially steal its port and run my own ftp server, stealing everyone's password if I have a local account. At the same time, you're still vulnerable to plenty of scanning attacks.
If you want accessible services to be accessible, I say make them accessible, and secure that service as much as you reasonably can.
If you want to restrict access to make it more secure, put them behind a VPN or other protection. That way you *really* get the security benefit that you wanted in the first place.
jh
On 7/19/11, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Sun, 17 Jul 2011, Always Learning wrote:
If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard ports. Allocate a different IP address (if you have several) and use a non-web IP address for SSH and a different non-web IP address for phpmyadmin etc. WITH non-standard ports (you can go as high as about 64000). Also consider ONLY allowing access from predefined static IP addresses (under your control). Do not make it easy for the hackers. Give them a difficult time.
Running on non-default ports (especially high numbered ports) always strikes me as the wrong way of doing things. You've come out of the admin shelter of low ports meaning you're now vulnerable to local attacks - if I can make ftp (one of your examples) crash, I can potentially steal its port and run my own ftp server, stealing everyone's password if I have a local account. At the same time, you're still vulnerable to plenty of scanning attacks.
If you want accessible services to be accessible, I say make them accessible, and secure that service as much as you reasonably can.
If you want to restrict access to make it more secure, put them behind a VPN or other protection. That way you *really* get the security benefit that you wanted in the first place.
jh _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Dear All With respect to the references you gave me, I figured out to add the following line to my /etc/sysconfig/iptables : -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT Then I issued: #service iptables restart And now the windows machine can browse valid url . Thank you for your help. I want to put more stuff on my centos 5.6 machine. To this end, I installed ultraedit, octave, gschem,shorewall on my centos 5.6 machine. But I don't see one-to-one relationship between these applications and the ones I have on my windows machine. For example, the octave does not have the same power as MATLAB on windows machine or Pspice on windows is more powerful than the the one I have on my centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
On Tue, 19 Jul 2011, hadi motamedi wrote:
Dear All With respect to the references you gave me, I figured out to add the following line to my /etc/sysconfig/iptables : -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT Then I issued: #service iptables restart And now the windows machine can browse valid url . Thank you for your help. I want to put more stuff on my centos 5.6 machine. To this end, I installed ultraedit, octave, gschem,shorewall on my centos 5.6 machine. But I don't see one-to-one relationship between these applications and the ones I have on my windows machine. For example, the octave does not have the same power as MATLAB on windows machine or Pspice on windows is more powerful than the the one I have on my centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
So you've installed Octave but it's not as powerful as MATLAB on windows. I know this is crazy talk, but have you tried MATLAB on CentOS?
There is no one-to-one relationship between applications on one OS and on another.
Keep googling.
jh
On 7/19/11, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 19 Jul 2011, hadi motamedi wrote:
Dear All With respect to the references you gave me, I figured out to add the following line to my /etc/sysconfig/iptables : -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT Then I issued: #service iptables restart And now the windows machine can browse valid url . Thank you for your help. I want to put more stuff on my centos 5.6 machine. To this end, I installed ultraedit, octave, gschem,shorewall on my centos 5.6 machine. But I don't see one-to-one relationship between these applications and the ones I have on my windows machine. For example, the octave does not have the same power as MATLAB on windows machine or Pspice on windows is more powerful than the the one I have on my centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
So you've installed Octave but it's not as powerful as MATLAB on windows. I know this is crazy talk, but have you tried MATLAB on CentOS?
There is no one-to-one relationship between applications on one OS and on another.
Keep googling.
jh _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ? Or if Pspice for centos does not exist so we must search for 'Electronics circuit schematics editor and simulator for centos' ? If there any reference site that we can select centos application with respect to their functionality deffinition but not just the application name?
On 7/19/11 11:07 PM, hadi motamedi wrote:
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ? Or if Pspice for centos does not exist so we must search for 'Electronics circuit schematics editor and simulator for centos' ? If there any reference site that we can select centos application with respect to their functionality deffinition but not just the application name?
Not very much software is Centos-specific, but anything that runs on Red Hat Enterprise versions should work on the corresponding Centos version, including the things in third party 'EL' rpm repositories and commercial products (like Matlab...).
The biggest searchable, up to date collection of open source software project descriptions is probably http://freshmeat.net, but once you locate an interesting project you might want to see if you can find an RPM-packaged version at EPEL, rpmforge, etc. for easy installation and updates instead of trying to build from source yourself.
And you might like 'R' as an alternative to octave or matlab.
Les Mikesell wrote:
The biggest searchable, up to date collection of open source software project descriptions is probably http://freshmeat.net, but once you locate an interesting project you might want to see if you can find an RPM-packaged version at EPEL, rpmforge, etc. for easy installation and updates instead of trying to build from source yourself.
I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for CentOS 6.
Link for Fedora 5 package: http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/
Ljubomir Ljubojevic wrote:
Les Mikesell wrote:
<snip>
I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
<snip> Couple problems: first, it *is* COTS, and if you live in a country that cares, you could be in steep legal trouble. Second, MATLAB uses a license server; if you don't have a license, you can't use it.
mark
On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:
I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
Valid.
It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for CentOS 6.
Link for Fedora 5 package: http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/
Not in any way sensible, so don't go anywhere near this.
This just looks like an indexed internal directory at a university full of packages you're really unlikely to want to install. It's old commercial software that won't work without a license. Matlab installs just fine on CentOS from the direct download from Mathworks. Packaging it up is also trivial.
jh
John Hodrien wrote:
On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:
I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
Valid.
It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for CentOS 6.
Link for Fedora 5 package: http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/
Not in any way sensible, so don't go anywhere near this.
This just looks like an indexed internal directory at a university full of packages you're really unlikely to want to install. It's old commercial software that won't work without a license. Matlab installs just fine on CentOS from the direct download from Mathworks. Packaging it up is also trivial.
OK.
If it needs license, what would be the harm if you install (newer) version from rpm? Their source RPM is actually nosrc.rpm so they just package it for easier install. I was assuming this when I suggested the packages.
On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:
OK.
If it needs license, what would be the harm if you install (newer) version from rpm? Their source RPM is actually nosrc.rpm so they just package it for easier install. I was assuming this when I suggested the packages.
What I meant was, those were old RPMs. You'd buy a license and either install using the installer, or package up your own RPM. You wouldn't go near those.
jh
On Wed, 20 Jul 2011 08:37:23 +0430 hadi motamedi motamedi24@gmail.com wrote:
On 7/19/11, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 19 Jul 2011, hadi motamedi wrote:
centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
I find http://alternativeto.net/ useful now and then ...
On Wed, 20 Jul 2011, hadi motamedi wrote:
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ? Or if Pspice for centos does not exist so we must search for 'Electronics circuit schematics editor and simulator for centos' ? If there any reference site that we can select centos application with respect to their functionality deffinition but not just the application name?
Stop googling for CentOS. If you're looking for commercial packages, they'll either claim to support Redhat or just linux, but they're very unlikely to mention CentOS.
But this problem isn't linux specific. How do you find matlab-like software for windows?
jh
On 7/20/11, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Wed, 20 Jul 2011, hadi motamedi wrote:
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ? Or if Pspice for centos does not exist so we must search for 'Electronics circuit schematics editor and simulator for centos' ? If there any reference site that we can select centos application with respect to their functionality deffinition but not just the application name?
Stop googling for CentOS. If you're looking for commercial packages, they'll either claim to support Redhat or just linux, but they're very unlikely to mention CentOS.
But this problem isn't linux specific. How do you find matlab-like software for windows?
jh _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You are right. But here, people use windows more than Linux. So hearing about MATLAB for windows comes natural. I need to switch completely to my centos so I need to do everything with my centos as I did them on my windows. It sounds a little bit hard to find one-one exact match between the application on windows and their equivalent on centos. Isn't it ?
On Wed, 20 Jul 2011, hadi motamedi wrote:
You are right. But here, people use windows more than Linux. So hearing about MATLAB for windows comes natural. I need to switch completely to my centos so I need to do everything with my centos as I did them on my windows. It sounds a little bit hard to find one-one exact match between the application on windows and their equivalent on centos. Isn't it ?
In the case of matlab it's very easy: matlab.
In the case of other specialist software, the point is every bit of software is different. If you know an exact bit of software meets your needs, you are the person best placed to know why. The rest of it is a case of searching google/yum/freshmeat using your domain specific knowledge as to exactly what you need.
It would be exactly the same ball game if you were switching to using an Apple, or indeed if Mathworks stopped selling matlab on windows.
jh
On Wed, 20 Jul 2011, hadi motamedi wrote:
*snip*
So you've installed Octave but it's not as powerful as MATLAB on windows. I know this is crazy talk, but have you tried MATLAB on CentOS?
There is no one-to-one relationship between applications on one OS and on another.
Hi Hadi.
If you are looking for Electronics and EDA things, why not take a look at the FEL - Fedora Electronics Lab spin:
http://spins.fedoraproject.org/fel/#downloads
You can d/l the FEL Live CD iso from here:
http://archive.nl.eu.kernel.org/fedora-alt/spins/linux/releases/14/Spins/i68...
HTH
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On Wed, Jul 20, 2011 at 08:37:23AM +0430, hadi motamedi wrote: ...
If we cannot find the exact application name for centos, say MATLAB for centos does not exist
If you purchased your matlab for windows, I am sure that your software vendor is able to quote you a linux version. Have you looked at http://www.mathworks.com/products/matlab/requirements.html
Tru
On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ?
MATLAB stands for *matrix* laboratory, not mathematics. See
http://en.wikipedia.org/wiki/MATLAB
Searching for MATLAB on CentOS is too naive. Rather, you just want to keep in mind that CentOS is binary-compatibile with RHEL, go to the MATLAB website and find out that there is a supported version for RHEL:
http://www.mathworks.com/support/sysreq/current_release/linux.html
It costs about 2000 USD for a basic standalone installation (btw, the price is the same for Linux, Windows and Mac).
The functionality of MATLAB for CentOS is completely equivalent to the one on Windows. There is no alternative (free or otherwise) version which will provide equivalent functionality. That said, there are alternative apps which are equivalently powerful, but there are always differences.
HTH, :-) Marko
Marko Vojinovic wrote:
On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
If we cannot find the exact application name for centos, say MATLAB for centos does not exist, so we must search for 'Mathematics laboratory for centos' ?
MATLAB stands for *matrix* laboratory, not mathematics. See
http://en.wikipedia.org/wiki/MATLABSearching for MATLAB on CentOS is too naive. Rather, you just want to keep in mind that CentOS is binary-compatibile with RHEL, go to the MATLAB
<snip> I'll guarantee that it runs just fine under CentOS. We have several installs running.
mark
From: hadi motamedi motamedi24@gmail.com
centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
Hum... "powerful stuff for various purposes" is usually mysterious secret knowledge handed from masters to disciples... Do you think you could handle such powerful stuff...?!?
JD
On 7/19/11, John Doe jdmls@yahoo.com wrote:
From: hadi motamedi motamedi24@gmail.com
centos. Can you please let me know where powerful centos stuffs for various purposes can be selected and installed from the internet?
Hum... "powerful stuff for various purposes" is usually mysterious secret knowledge handed from masters to disciples... Do you think you could handle such powerful stuff...?!?
JD _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry for not being specific in the question. I mean engineering centos stuff with one-to-one relationship for windows ones like Visual C , MATLAB , Pspice , etc. ?
Keith Roberts wrote:
On Sat, 16 Jul 2011, Keith Roberts wrote:
To: CentOS mailing list centos@centos.org From: Keith Roberts keith@karsites.net Subject: Re: [CentOS] firewall?
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I wrote about "physical presence *outside* of your network", like if you are on a large WISP that uses bridged network (bad design) and your Wireless client is bridged, and you have single NIC firewall in place, entire WISP's network will be able to sniff your traffic and hack into unprotected workstations/desktops. And there are those scenarios, much more then you can think.
Which is why one poster mentioned that you need to be familiar with IPtables and Networking before trying to make your machine(s) network(s) secure?
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
This is what I was refering to:
Data Driven Attacks Using HTTP Tunneling
"... HTTP Tunneling Example
HTTP tunneling can be used to access ports that are normally inaccessible from a network. Consider Figure 1 below. The attacker's host is shown on the left with the target systems on the right. The router at the edge has the following policies:"
http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunn...
Sounds a bit scary to me, as any website needs to have port 80 open to allow access to that website.
That example is based on the premise that attacker will exploit existing security bug/hole to gain access to the system. And they refer in that article to IIS (Micro$oft Web server, with holes like swiss cheese).
If you check the frequency of Apache (httpd) security bugs on CentOS 5.x, I think you will see several Denial Of Service bugs, but only one or two that would allow code execution. And bug reports for Apache are made to secure mailing list so rest of the world is not aware of them until they are already fixed.
So I would not be overly concerned about HTTP tunneling attacks.
Ljubomir
On Sun, 17 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
I read some time ago something about tunneling different protocols through firewalls? which sounded quite scary.
This is what I was refering to:
Data Driven Attacks Using HTTP Tunneling
"... HTTP Tunneling Example
HTTP tunneling can be used to access ports that are normally inaccessible from a network. Consider Figure 1 below. The attacker's host is shown on the left with the target systems on the right. The router at the edge has the following policies:"
http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunn...
Sounds a bit scary to me, as any website needs to have port 80 open to allow access to that website.
That example is based on the premise that attacker will exploit existing security bug/hole to gain access to the system. And they refer in that article to IIS (Micro$oft Web server, with holes like swiss cheese).
If you check the frequency of Apache (httpd) security bugs on CentOS 5.x, I think you will see several Denial Of Service bugs, but only one or two that would allow code execution. And bug reports for Apache are made to secure mailing list so rest of the world is not aware of them until they are already fixed.
So I would not be overly concerned about HTTP tunneling attacks.
OK thanks for that advice Ljubomir.
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 07/17/11 1:24 AM, Ljubomir Ljubojevic wrote:
If you check the frequency of Apache (httpd) security bugs on CentOS 5.x, I think you will see several Denial Of Service bugs, but only one or two that would allow code execution. And bug reports for Apache are made to secure mailing list so rest of the world is not aware of them until they are already fixed.
So I would not be overly concerned about HTTP tunneling attacks.
most successful exploits of 'nix web servers involve poorly implemented user code, such as exploitable PHP, perl cgi, etc, things that allow sql insertion attacks, etc etc.
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. But if you have propper firewall rules in place to block incoming traffic from the public IP going to the private IP then it's very safe.
You are looking only at the safety of the server, not the whole network.
In case od ADSL modems *with NAT-ing* you already have firewall in form as ADSL modem, and you are safe.
That's exactly how my Thompson ADSL router works. By defalut it blocks any connections coming in from the outside internet IP address.
To open a port I have to login to the router, and create NAPT rule that links an outside port to a machine and port on the LAN side of the router.
I did have port 80 NAPT's this way, but now I have removed that rule, as my websites are hosted on a cloud in a proper data center.
So what with the router firewall and then the Linux Kernel IPtables packet filtering firewall, I actually have two firewalls running?
For checking open/closed ports from the outside, I go to www.grc.com and let their machine do a 'Shields Up' scan of my machine.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Keith Roberts wrote:
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe. But if you have propper firewall rules in place to block incoming traffic from the public IP going to the private IP then it's very safe.
You are looking only at the safety of the server, not the whole network.
In case od ADSL modems *with NAT-ing* you already have firewall in form as ADSL modem, and you are safe.
That's exactly how my Thompson ADSL router works. By defalut it blocks any connections coming in from the outside internet IP address.
To open a port I have to login to the router, and create NAPT rule that links an outside port to a machine and port on the LAN side of the router.
I did have port 80 NAPT's this way, but now I have removed that rule, as my websites are hosted on a cloud in a proper data center.
So what with the router firewall and then the Linux Kernel IPtables packet filtering firewall, I actually have two firewalls running?
Yes, if ADSL router does firewalling (LAN side has private IP) without any port redirection, then you do not need any other firewall, except ip you have sensitive data and open or weak (WEP) wireless AP/router.
Ljubomir
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
*snip*
So what with the router firewall and then the Linux Kernel IPtables packet filtering firewall, I actually have two firewalls running?
Yes, if ADSL router does firewalling (LAN side has private IP) without any port redirection, then you do not need any other firewall, except ip you have sensitive data and open or weak (WEP) wireless AP/router.
OK. Thanyou for confirming that Ljubomir.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
To: CentOS mailing list centos@centos.org From: Ljubomir Ljubojevic office@plnet.rs Subject: Re: [CentOS] firewall?
Keith Roberts wrote:
So I guess I could configure my single NIC Centos 5.6 machine connected to a 4 port ADSL router to act as the external Gateway for other machine on the LAN side of the router, possibly using NAPT on the Centos box?
Yes, you can do that. You can also use it as a proxy server.
When I said "firewall", I meant as firewall for the network, facing outside of the local network. There were people who would bring public (or semi-public, from ISP) IP to the switch and then hook up all PC's to that switch and use 2 subnets, one that ISP provided and one for the local LAN, all on the same switch, to save on hardware. That is not safe and not wise.
Having firewall, as a software, running on the PC/server is good practice, sometimes even in the local environment, if you use it in the network that "external" people will hook up their PC's to and you have important data on it. Rare cases, but do exist. Better safe then sorry.
OK. Thanks for confirming that Ljubomir!
Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 7/16/11, Fajar Priyanto fajarpri@arinet.org wrote:
Do this:
- Make sure your Centos has two network card. One connected to
internet, one to local lan. Make sure the Centos can already browsing internet. Example internet: eth0 192.168.1.1 local: eth1 192.168.2.1
- Activate ip forwarding in /etc/sysconfig/sysctl.conf
net.ipv4.ip_forward = 1
Run sysctl -r to reload the new setting
- Type this iptables command to share internet:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- Set your windows box to use 192.168.2.1 as it's default gateway.
Don't forget to give it DNS too like 8.8.8.8
- I'd suggest you join your Linux Local User Group to have more help.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you very much for your help. At now, I have put my windows machine behind my centos 5.6 firewall server with just one NIC. The windows machine can ping 192.9.9.3 but it cannot browse Internet like connecting to google. I have set its DNS too. Can you please let me know what step is missing? Thank you
On Mon, Jul 18, 2011 at 12:24:02AM -0400, hadi motamedi wrote:
Thank you very much for your help. At now, I have put my windows machine behind my centos 5.6 firewall server with just one NIC. The windows machine can ping 192.9.9.3 but it cannot browse Internet like connecting to google. I have set its DNS too. Can you please let me know what step is missing?
No.
It's about time you started doing something on your own.
Either learn how to manage your own systems or those that you are being paid to manage or going to school to manage or pay someone competent to do it for you.
Stop misusing this list. We are not here to solve your issues.
If you want to consider private consultation please contact me off list for my rates and payment methods. I'm sure there are any number of other list members that would also be willing to do solve your problems at their normal per diem rates as well.
Note to everyone else: STOP spoon-feeding him.
John
On 7/18/11, John R. Dennison jrd@gerdesas.com wrote:
On Mon, Jul 18, 2011 at 12:24:02AM -0400, hadi motamedi wrote:
Thank you very much for your help. At now, I have put my windows machine behind my centos 5.6 firewall server with just one NIC. The windows machine can ping 192.9.9.3 but it cannot browse Internet like connecting to google. I have set its DNS too. Can you please let me know what step is missing?
No.
It's about time you started doing something on your own.
Either learn how to manage your own systems or those that you are being paid to manage or going to school to manage or pay someone competent to do it for you.
Stop misusing this list. We are not here to solve your issues.
If you want to consider private consultation please contact me off list for my rates and payment methods. I'm sure there are any number of other list members that would also be willing to do solve your problems at their normal per diem rates as well.
Note to everyone else: STOP spoon-feeding him.
John-- There are men -- now in power in this country -- who do not respect dissent, who cannot cope with turmoil, and who believe that the people of America are ready to support repression as long as it is done with a quiet voice and a business suit.
John V. Lindsay (1921-2000), US politician, Congressman, Mayor of New York City
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
On 7/17/11, hadi motamedi motamedi24@gmail.com wrote:
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
This one is great:
Cody Jackson
On Sun, 2011-07-17 at 22:17 -0700, Cody Jackson wrote:
On 7/17/11, hadi motamedi motamedi24@gmail.com wrote:
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
This one is great:
Which option do you suggest ? 'Google Search' or 'I'll Feeling Lucky' ?
On 7/18/11, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
Try ubuntu-users@lists.ubuntu.com
They always have spoon and milk powder ready and then some. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It is very hard for me to miss technical support from you gentlemen and centos experts. Please let me to just listen to the list. Thank you again
On Monday, July 18, 2011 01:30 PM, hadi motamedi wrote:
On 7/18/11, Christopher Chanchristopher.chan@bradbury.edu.hk wrote:
On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
Try ubuntu-users@lists.ubuntu.com
They always have spoon and milk powder ready and then some.
It is very hard for me to miss technical support from you gentlemen and centos experts. Please let me to just listen to the list. Thank you again
Why don't you just buy a book, read it, experiment on a spare computer? You can listen all you like but it will do you squat unless you actually try and think about why you have been given a certain command or piece of advice. It will forever be just 'theory'.
On 7/18/11, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
On Monday, July 18, 2011 01:30 PM, hadi motamedi wrote:
On 7/18/11, Christopher Chanchristopher.chan@bradbury.edu.hk wrote:
On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:
Thank you very much for your reply. Can you please let me know what is the centos mailing list for basic users like me?
Try ubuntu-users@lists.ubuntu.com
They always have spoon and milk powder ready and then some.
It is very hard for me to miss technical support from you gentlemen and centos experts. Please let me to just listen to the list. Thank you again
Why don't you just buy a book, read it, experiment on a spare computer? You can listen all you like but it will do you squat unless you actually try and think about why you have been given a certain command or piece of advice. It will forever be just 'theory'. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for your help. I learned a lot from your post that enabled me to share Internet connection on my centos 5.6 machine. At now , the windows machine is behind the centos firewall and it can even ping 192.9.9.3 but just cannot resolve the url (even with DNS set for it). I just need to know how to give it Internet service?
On Mon, Jul 18, 2011 at 11:12 AM, hadi motamedi motamedi24@gmail.com wrote:
Thank you for your help. I learned a lot from your post that enabled me to share Internet connection on my centos 5.6 machine. At now , the windows machine is behind the centos firewall and it can even ping 192.9.9.3 but just cannot resolve the url (even with DNS set for it). I just need to know how to give it Internet service?
search for keywords "linux routing" and "linux ip forwarding" and you will find umpteen sites with answers to your problem.
As suggested by others, budget a cheap NIC and keep Internet and LAN on two separate physical NICs. That would be the minimum best practice.
Another piece of advice. Follow the RERERE [1] method to learn Linux administration. By the third you will get it right (that has been my experience).
Visit www.tldp.org. You will find several "full length" books on Linux system/network admin as well "how tos" Pick the one that meets your scenario, read the material and experiment. That is the best way to learn. BTW you can do this by installing VirtualBox either in Linux or Windows. With VBox you can setup small networks, all in a virtual environment. You can experiment and learn from them. VBox is well documented.
For Linux networking, the book by Olaf Kirch and Terry Dawson [2] is a classic. CentOS/RHEL docs are also very comprehensive with theory and examples.
When you get stuck on any implementation then ask specific questions - I tried this "blah blah" found it in this "xyz reference" and I am stuck on this point.
From your posts it does not look like you have tried to do any
research. The culture in FOSS mailing lists/forums is to help those who try to help themselves; otherwise opt for commercial support.
[1] Read Experiment .... [2] http://www.tldp.org/LDP/nag2/nag2.pdf
On Sat, Jul 16, 2011 at 02:56:59PM +0430, hadi motamedi wrote:
Thank you for your help. I tried to get it as 'yum install webadmin*' but unsuccessful. Can you please confirm if the spelling is correct?
Are we really going to go down this beaten path yet again? Have you learned nothing during your hiatus from this list? Have you learned nothing from your past history on this list? This is an enterprise distribution, some thinking really is required. And this doesn't mean others doing the thinking for you.
Can you at least _try_ to be self-reliant? Can you at least _try_ and use google and other resources that you've been pointed to in the past?
Can you please _try_ to not ask this list to do your job for you? If you have specific questions after showing that you've done at least a modicum of research on your own is one thing; being fully reliant on the volunteers on this list is another.
At least _try_.
John
On Sat, Jul 16, 2011 at 7:12 PM, John R. Dennison jrd@gerdesas.com wrote:
Can you at least _try_ to be self-reliant? Can you at least _try_ and use google and other resources that you've been pointed to in the past?
Can you please _try_ to not ask this list to do your job for you? If you have specific questions after showing that you've done at least a modicum of research on your own is one thing; being fully reliant on the volunteers on this list is another.
Yeah, some like to find the easiest the shortest the least effort way :)
On Sat, Jul 16, 2011 at 07:14:09PM +0800, Fajar Priyanto wrote:
Yeah, some like to find the easiest the shortest the least effort way :)
There is a history of Hadi misusing this list; this is by no means the first time.
John
On Sat, Jul 16, 2011 at 3:56 PM, hadi motamedi motamedi24@gmail.com wrote:
On 7/16/11, SZ Quadri sz@quadri.in wrote:
You can use pretty standard tools:- iptables etc. You just need a minimum sever install with maybe some web based GUI to manage the box from other machines. You can have a look at webmin (www.webmin.com) which offers
nice
web interface and is popular in hosting industry as free admin web ui.
- SZQ
On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi <motamedi24@gmail.com wrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thank you for your help. I tried to get it as 'yum install webadmin*' but unsuccessful. Can you please confirm if the spelling is correct?
By webadmin, I think you mean webmin. As for as I know, Webmin is not included in the default repos. However, you can add webmin repo yourself using the instructions given on http://www.webmin.com/rpm.html page. Check under section "Using the Webmin YUM repository".
- SZ Quadri
hadi motamedi wrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You might be interested in shorewall[1]. It has config file and extensive documentation. You tell it what you want and all iptables are automatically set. It also has webmin module. There are rpm's for CentOS 5 but I think they would be OK also on the CentOS 6.
[1]: http://www.shorewall.net/
Ljubomir
On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
You might be interested in shorewall[1]. It has config file and extensive documentation. You tell it what you want and all iptables are automatically set. It also has webmin module. There are rpm's for CentOS 5 but I think they would be OK also on the CentOS 6.
Hadi, With all the suggestions, I believe it's enough to get you going. iptables, shorewall, webmin.
All you have got to do know is to google around using those keywords, and start learning by yourself. Google has everything.
Fajar Priyanto wrote:
On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
You might be interested in shorewall[1]. It has config file and extensive documentation. You tell it what you want and all iptables are automatically set. It also has webmin module. There are rpm's for CentOS 5 but I think they would be OK also on the CentOS 6.
Hadi, With all the suggestions, I believe it's enough to get you going. iptables, shorewall, webmin.
All you have got to do know is to google around using those keywords, and start learning by yourself. Google has everything.
I agree. No more free ride...
Ljubomir
On Sat, Jul 16, 2011 at 1:18 PM, Fajar Priyanto fajarpri@arinet.org wrote:
On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
You might be interested in shorewall[1]. It has config file and extensive documentation. You tell it what you want and all iptables are automatically set. It also has webmin module. There are rpm's for CentOS 5 but I think they would be OK also on the CentOS 6.
Hadi, With all the suggestions, I believe it's enough to get you going. iptables, shorewall, webmin.
All you have got to do know is to google around using those keywords, and start learning by yourself. Google has everything. _______________________________________________
But, sadly google can't teach someone to start making their own choices or to think for themselves
Rudi Ahlers wrote:
On Sat, Jul 16, 2011 at 1:18 PM, Fajar Priyanto fajarpri@arinet.org wrote:
On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
You might be interested in shorewall[1]. It has config file and extensive documentation. You tell it what you want and all iptables are automatically set. It also has webmin module. There are rpm's for CentOS 5 but I think they would be OK also on the CentOS 6.
Hadi, With all the suggestions, I believe it's enough to get you going. iptables, shorewall, webmin.
All you have got to do know is to google around using those keywords, and start learning by yourself. Google has everything. _______________________________________________
But, sadly google can't teach someone to start making their own choices or to think for themselves
There was some commenting on the Kaspersky facebook page where they wrote about recent hacking and theft of the data of some US Government contractor, and Kaspersky admin half jocked that they should have used their product. One excellent comment was: "Does that include Common Sense Internet Security 2012?". And it is SO true...
Ljubomir
On Sat, 2011-07-16 at 13:25 +0200, Rudi Ahlers wrote:
But, sadly google can't teach someone to start making their own choices or to think for themselves
Learning Linux/Centos on one's own, and without good text books, is a very daunting task even for those with over 40 years computer programming experience. I describe it as a steep learning curve but, as usual, I succeeded. Others may be confused and lack the background knowledge to put 'strange' things in context or to make sense of what seems illogical.
Recommending a good elementary source for learning about Linux basics is probably more useful than criticism.
IPtables can seem daunting when protecting a single machine but it is easy ONCE one discovers the logic and the necessary commands.
On desktops which are also used as local servers (running Apache, Exim and VSftp) I create 3 virtual IP addresses one for each service and then allow in traffic which uses the allocated IP address and the correspondingly correct (and usually changed from default) port number. That is then followed by the applications own security settings.
All these are subsequently IPT options. One of the first is the ability to impose a blanket ban on unwanted IPs.
Because I'm lazy, I type ipt -nvL or sv ipt status (after all, the computer is supposed to work for the Human Being)
Always Learning wrote:
On Sat, 2011-07-16 at 13:25 +0200, Rudi Ahlers wrote:
But, sadly google can't teach someone to start making their own choices or to think for themselves
Learning Linux/Centos on one's own, and without good text books, is a very daunting task even for those with over 40 years computer programming experience. I describe it as a steep learning curve but, as usual, I succeeded. Others may be confused and lack the background knowledge to put 'strange' things in context or to make sense of what seems illogical.
That was not directed to people wanting to learn something, but to the drones wanting everything "chewed up". Asking specific question was never a problem to respond to and educate for the most people.
I don't think I have been on a forums or mailing list that refused to point someone in the right direction. "Give a man a fish, you have fed him for today. Teach a man to fish, and you have fed him for a lifetime" most people use as a moto. But there are always those who want it all served on the silver platter.
Ljubomir
On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:
I don't think I have been on a forums or mailing list that refused to point someone in the right direction. "Give a man a fish, you have fed him for today. Teach a man to fish, and you have fed him for a lifetime" most people use as a moto. But there are always those who want it all served on the silver platter.
I prefer gold platters :-)
On Sun, 17 Jul 2011, Always Learning wrote:
To: CentOS mailing list centos@centos.org From: Always Learning centos@u6.u22.net Subject: Re: [CentOS] firewall?
On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:
I don't think I have been on a forums or mailing list that refused to point someone in the right direction. "Give a man a fish, you have fed him for today. Teach a man to fish, and you have fed him for a lifetime" most people use as a moto. But there are always those who want it all served on the silver platter.
I prefer gold platters :-)
Yes, me too. Preferably studded with Rubies, Diamonds and Emeralds!
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Keith Roberts wrote:
On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:
I don't think I have been on a forums or mailing list that refused to point someone in the right direction. "Give a man a fish, you have fed him for today. Teach a man to fish, and you have fed him for a lifetime" most people use as a moto. But there are always those who want it all served on the silver platter.
I prefer gold platters :-)
Yes, me too. Preferably studded with Rubies, Diamonds and Emeralds!
I am more interested on the food on the platter. True open source geek, I know ;-)
Ljubomir
On 7/16/2011 12:33 AM, hadi motamedi wrote:
Dear All I need to put my centos 5.6 server as firewall server in fron of a windows-running node before connecting it to the net. Can you please let me know what stuff do I need to put on my centos server? Thank you _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I would sugget a dedicated firewall distro like untangle, pfsense, smoothwall,...etc etc etc
-
Always Learning -
Arun Khan -
B.J. McClure -
Bob Hepple -
Christopher Chan -
Cody Jackson -
Drew -
Fajar Priyanto -
hadi motamedi -
John Doe -
John Hodrien -
John R Pierce -
John R. Dennison -
Keith Roberts -
Les Mikesell -
Ljubomir Ljubojevic -
m.roth@5-cent.us -
Marko Vojinovic -
Markus Falb -
Rudi Ahlers -
SZ Quadri -
Tru Huynh -
William Warren