[CentOS] firewall?

Keith Roberts keith at karsites.net
Sat Jul 16 16:30:09 UTC 2011

On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:

> To: CentOS mailing list <centos at centos.org>
> From: Ljubomir Ljubojevic <office at plnet.rs>
> Subject: Re: [CentOS] firewall?
> Rudi Ahlers wrote:
>> On Sat, Jul 16, 2011 at 2:20 PM, Ljubomir Ljubojevic <office at plnet.rs> wrote:
>>> Keith Roberts wrote:
>>>> So I guess I could configure my single NIC Centos 5.6
>>>> machine connected to a 4 port ADSL router to act as the
>>>> external Gateway for other machine on the LAN side of the
>>>> router, possibly using NAPT on the Centos box?
>>> Yes, you can do that. You can also use it as a proxy server.
>>> When I said "firewall", I meant as firewall for the network, facing
>>> outside of the local network. There were people who would bring public
>>> (or semi-public, from ISP) IP to the switch and then hook up all PC's to
>>> that switch and use 2 subnets, one that ISP provided and one for the
>>> local LAN, all on the same switch, to save on hardware. That is not safe
>>>  and not wise.
>> Sure, if the 2 subnets were just NAT'ed then it wouldn't be very safe.
>> But if you have propper firewall rules in place to block incoming
>> traffic from the public IP going to the private IP then it's very
>> safe.
> You are looking only at the safety of the server, not the whole network.
> In case od ADSL modems *with NAT-ing* you already have firewall in form
> as ADSL modem, and you are safe.

That's exactly how my Thompson ADSL router works. By defalut 
it blocks any connections coming in from the outside 
internet IP address.

To open a port I have to login to the router, and create 
NAPT rule that links an outside port to a machine and port
on the LAN side of the router.

I did have port 80 NAPT's this way, but now I have removed 
that rule, as my websites are hosted on a cloud in a proper 
data center.

So what with the router firewall and then the Linux Kernel 
IPtables packet filtering firewall, I actually have two 
firewalls running?

For checking open/closed ports from the outside, I go to 
www.grc.com and let their machine do a 'Shields Up' scan of 
my machine.

Kind Regards,

Keith Roberts


All email addresses are challenge-response protected with
TMDA [http://tmda.net]

More information about the CentOS mailing list