-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim C wrote on Mon, Mar 10, 2003 at 02:28:10PM -0800 :
>
> So basically the local network and the firewall box can talk to anyone
> but, as defined below, not anyone can talk back.
Not quite. If you send a packet out, a reply coming back in (aka talk
back) will be allowed. If a *NEW* incoming packet appears though, that
will be rejected.
Maybe you understood it perfectly and only your wording implied
something different than my wording, but I want to make sure we're on
the same page.
> The only rules I have defined so far are:
> ACCEPT net fw tcp 22 #(ssh)
> ACCEPT net fw icmp 8 #(ping)
> So anyway here is the big question: Given that I have physical security
> on the local net and firewall boxes, is this a safe basic setup?
No. You're allowing people to ssh directly to your firewall. That's
not safe. At the very least use tcpwrappers to limit what IP's can
connect to the sshd daemon. Even better, limit it to key based ssh'ing
(ie no interactive login).
Blue skies... Todd
- --
MandrakeSoft USA http://www.mandrakesoft.com
cat /boot/vmlinuz > /dev/dsp #for great justice
Mandrake Cooker Devel Version, Kernel 2.4.21-0.13mdk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+bjdklp7v05cW2woRAg/LAJ9zvPrjuXxzUFc2gdTySPhfLBOOWACfab8P
KAM46mSKWfUYCo9cacj2krY=
=LCfe
-----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
