Fwiw I have a stock RH6.2 system with a 2.2.16 kernel running on an
old P133 system. I set up my firewall with ipchains, using the rules
I got from this site:
http://www.linux-firewall-tools.com/linux/firewall/index.html
as a starting point. You answer a bunch of questions regarding your
configuration and what you want to allow or disallow, and it will
generate a shell script that will build your firewall. The script
needs to be run after the network interfaces are up (and, in particular
after DHCP has secured an address from your ISP.)
I had to hack the resulting script because of a few assumptions that
appeared to be incorrect for RH6.2:
o The script expects pump or dhcpcd to leave behind a small file
containing parametric goodies such as the DHCP server's IP
address, your assigned IP address, the address of a default
gateway, and the address(es) of DNS servers.
pump on my system didn't seem to leave behind such a file,
so I built into the script the ability to manually fetch all
the info by parsing the output of "pump --status"
o The default rules for DNS are broken if you're running a
caching server like I am... They're okay if you configure
your firewall as a DNS client. Or at the very least I had
to tweak them 'cause when I send a query to MediaHun's
DNS server, the response doesn't come back on port 53.
o Your /var/log/messages file will quickly fill up with an
amazing variety of what I would call "junk" packet info.
I found the default packet logging policies to be a bit
overwhelming (stuff like logging broadcasts who's source
addresses were from bogus networks like 169.254, boot
requests from the same, some goober on my segment broadcasting
RIP, etc.) So I've been fine-tuning the logging so that I can
pick out more interesting events like someone doing a port scan
(modulo the ports that I don't log like 67/68 or 520)
or someone banging away at smtp, pop, etc.
People on this list I've noticed generally do not like Ziegler's firewall
book. But I've found that his firewall builder tool is useful, certainly
at least as a starting point. Something worth noting about his tool: you
need to click the "update" button if you add or change something in the
main pane. If instead you go back to the left pane to click on the next
item without clicking "update", it'll forget what you typed in.
Oh, I also use tcpwrapper and I've shut off most stuff in /etc/inetd.conf
as well...
So far this has been enough to keep the script kiddies at bay. YMMV!
-- Farrell
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
