Shachar
Shachar Shemesh wrote:
Hi,
Attached are the firewall rules for the new server. Your feedback would be greatly apretiated. There was an attempt to lock this server down as to avoid any and all possibility violation of policy. As a result, these rules are somewhat on the fanatical side. The idea is to make using a shell on the actual server as unpleasent as possible, for both legit users and attacker. Sorry - that' just the way life is.
If you feel you know this field, and yet you do not understand a certain rule, please ask. It may be that I know something you don't, but it may also be that you have spotted an error.
The exact IPs of some of the servers have been munged, as knowing which NTP servers we use allow a theoretical attack vector.
Also, and it goes without saying, feel free to use this script in your own setups. I have accompanying scripts that are aimed at making sure that the firewall settings don't fall out of date due to changes in other config files. Feel free to email me and ask for them.
Thanks, Shachar
-- Shachar Shemesh Open Source integration consultant Home page & resume - http://www.shemesh.biz/
