[svlug] Packet Filter (was: Red Hat 7.3 Help)

Ira Abramov lists-svlug at ira.abramov.org
Fri Jul 12 01:25:59 PDT 2002


Quoting Bishop, from the post of Fri, 12 Jul:

> I seen all the service that where starting on boot up. I notice that I
> had ipchains , iptables, and Ip6tables. I really don't know plus
> haven't see that one around.

I haven't worked on a new RH box in years, but I would expect it's just
a script to create filter rules. it's easy to do, I have made my own,
because I like to know what runs on my machine when it comes to the
security side.

http://ira.abramov.org/linux/ADSLnetfilter.init.html

> Other thing, when I was going threw the setup for the firewall. It ask
> me what level of security I wanted. "High" "Medium" "NONE"

well, I have no idea what they mean on RedHat. basicly securing a
webserver takes a few steps, and I understand you are not going to use
it for much else, so I'll sketch it in rough lines, and you can search
google and linuxdoc.org for the rest:

1. install a very minimal system. only what's really necessary.  

2. get rid of ALL daemons and netservices except for the services you
need (webserver, log server, cron, secure access like ssh. Telnet and
others are a nono)

3. run a few hardening scripts (optional) like Bastille, those will also
give you a more detailed explanation of the options and set you up with
a few good filters.

4. alternatively set up an IPtables script of your own (mine should be
easy to adapt), some TCP/IP knowledge and a quick reading of the
netfilter/iptables howto is highly recommended.

5. add in only the cgi/php/whatnot code that you know is tested for
security. if it's a product with a known history of multiple dangerous
holes like PHP-nuke, keep a close eye on the corresponding announcement
mailing list.

> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination

seems a bit empty to me. weird. whatever you chose for "security level"
made no impact.

good luck!

-- 
Looks could kill
Ira Abramov

http://ira.abramov.org/email/ This post is encrypted twice with ROT-13.
Documenting or attempting to crack this encryption is illegal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 245 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20020712/fd0f9f4e/attachment.bin


More information about the svlug mailing list