Olaf Rempel wrote: > On Wed, 16 Nov 2005 20:22:24 +0100 (CET) > "Barbara M." <[EMAIL PROTECTED]> wrote: > > >>>4. Put iptables. >> >>For what I know, the box have only port 80, 443, 21 forwarded from the >>firewall ... >>Still useful iptables? > > If your apache don't need access to other webservers/IPs/whatever, you can > try this: > > iptables -N httpdout > iptables -A httpdout -o lo -j ACCEPT > iptables -A httpdout -m state --state ESTABLISHED -j ACCEPT > iptables -A httpdout -p udp --dport 53 -j ACCEPT > iptables -A httpdout -p tcp -j REJECT --reject-with tcp-reset > iptables -A httpdout -p udp -j REJECT > iptables -A httpdout -j DROP > > iptables -A OUTPUT -m owner --uid-owner httpd -j httpdout > > This would prevent apache to access any other service than dns. > With modifications also good for securing every other daemon that runs > non-root
I have secured the entire system in such a way for my firewall.. see http://www.trustix.org/wiki/index.php/FirewallSettings Cheers, -- Morten _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
