Hi, Ok, this getting away from OpenVPN so just this one reply.
> One small remark below: > > <snip> > >> # Set policies >> $IPTABLES -P INPUT DROP >> $IPTABLES -P FORWARD DROP >> $IPTABLES -P OUTPUT ACCEPT >> > <snip> > > Why would you allow unrestricted outgoing traffic? > I would suggest to set also that policy to 'DROP', > only allow what you expect, and allow in either direction statefull packages. This is what I set up for small systems / sites, it is also perfect for private situations like my firewall/gateway at home. Remember OUTPUT is only what starts at the system itself. That can never be more then what is coming from the running services unless it is a workstation system. I have almost none of those, only Linux servers. But even then.... The use of port filtering is greatly reduced nowadays where most applications simply use port 80 or 443 when they want to go outside and the default option is denied. Or our larger sites I used to have a firewall with outbound ports listed and everything else would get denied. On those systems 90% percent of the traffic was port 80 and 443, and it wasn't only web traffic. A few months ago we switched to Palo Alto firewalls which inspect the traffic and filter on that. I can now filter on for instance allow facebook traffic but deny facebook games. That level of filtering is "a bit more then we need" ;-) but it is nice to have. Bonno Bloksma ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
