Rather than indivudually shutting down ports, you're much better off from a security standpoint figuring out what services you need to allow (http, https, smtp, pop3, ssh, ftp, are all likely candidates for a hosting ISP) and implicitly denying all services, then setting rules to allow those.
There are graphical front-ends to ipchains, most of which can be found on freshmeat (http://www.freshmeat.net) that make constructing your rule-base much easier. GFCC is my personal choice, but there may be others that have been developed since I started using it. The ipchains HOW-TO will give you a pretty good idea of how it all fits in and how to get ipchains configured and running. Make sure you harden the OS, too. There's nothing more embarassing than having your firewall get owned. Blocking traceroute and icmp at the border router will help conceal the firewall's existance, as well having ipchains deny all connections to the firewall that don't originate from your intranet. I know this is a Debian discussion, but might I suggest checking out Netscreen firewall devices as well. They're not very expensive, perform well, are highly configurable, and can operate in a true transparent mode. We've been evaluating them here where I work and I'm using one at home on my DSL connection....I've turned my Linux firewall into a counter-strike server now that it's firewall services are no longer needed. I'll probably never go back. </shameless-plug> Jason -----Original Message----- From: Matt Kopishke [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 10, 2001 10:12 AM To: [email protected] Subject: Firewall on a debian Box. Hi, I need to set up a firewall on my company's small network. What I have in mind is a box that does packet filtering, shuts down unused ports, and such. This machine would have to be transparent as we do web hosting. So some thing that looks like this: +------+ +------------+ +------+ The Internet --|Router|--|Firewall Box|--|Switch|-- Our Network +------+ +------------+ +------+ If that makes any sense. My question is where do I start? Is there any good software or documentation that deals with this kind of set up? I know I can start shutting down ports using ipchains, but some one else must already be using a set up like this. Thanks, -Matt- +-----------------------------------------------------+ Matt Kopishke [EMAIL PROTECTED] | Blue Note Technology http://bluenotetech.com | Waldo Theatre http://www.waldotheatre.org | +------------------------+----------------------------+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
