[CentOS] firewall?

Sat Jul 16 17:20:44 UTC 2011
Keith Roberts <keith at karsites.net>

On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:

> To: CentOS mailing list <centos at centos.org>
> From: Ljubomir Ljubojevic <office at plnet.rs>
> Subject: Re: [CentOS] firewall?
> 
> Keith Roberts wrote:
>> On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
>>
>> *snip*
>>
>>> I wrote about "physical presence *outside* of your network", like if you
>>> are on a large WISP that uses bridged network (bad design) and your
>>> Wireless client is bridged, and you have single NIC firewall in place,
>>> entire WISP's network will be able to sniff your traffic and hack into
>>> unprotected workstations/desktops. And there are those scenarios, much
>>> more then you can think.
>>
>> Which is why one poster mentioned that you need to be
>> familiar with IPtables and Networking before trying to make
>> your machine(s) network(s) secure?
>>
>> I read some time ago something about tunneling different
>> protocols through firewalls? which sounded quite scary.
>>
>
> All firewalls (on Linux at least) are by default closed, and you need
> knowledge to punch through the wholes for your public services.
>
> Its something like this:
>
> Deny all (other) connections
>
> then you add few rules and it looks like this:
>
> Allow service listening on port X
> Allow service listening on port Y
> Allow service listening on port Z
> Allow service coming from IP A (and port W)
> Allow service coming to IP B (and port U)
> Deny all (other) connections
>
> Packets are sent through the chain (of the rules like above) and when
> they hit some rule, desired action is performed and that packet (mostly)
> stops going down the chain, so it does not hit bottom rule. If packet
> does not mach any "allow" rule, then it will hit (one of) deny rule and
> that connection will be terminated.
>
> If you want easy to understand Firewall/router PC based on RHEL/CentOS
> try ClearOS, and if you want it *on* the CentOS I suggest to check
> shorewall.
>
> www.shorewall.net is also excellent site to learn about firewalls and
> routers in general with lot's of examples.

Thanks for that Ljubomir.

I have studies the IPtables docs, and actually have my own 
rules setup and running in place of the default IP4 & IP6 
Centos Rules. I did this mainly for logging purposes - all 
packet movements were logged to a file for later analysis.

I have turned off most firewall logging now, and I use 
Wireshark to watch packet movements in real time if I 
suspect there is a network problem. It's interesting to 
watch how packets move into and out of the eth0 interface.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------