[H-GEN] Firewall Setup.
The memory remains
memory at humbug.org.au
Mon Nov 24 13:38:19 EST 1997
On Mon, 24 Nov 1997, Cowan, James wrote:
> Will there be someone who could help me set up a fairly secure firewall
> at next
> weekend's meeting?
This is what I do for masq, with some comments added.
# Firewall rules:
# By default never forward packets
ipfwadm -F -p deny
# I suppose I should add
# ipfwadm -F -a deny -S 192.168.105.0.24 -D 192.168.105.0.24
# to ensure that you're not responding to some forged address, and
# allowing access there.
# Make an excpetion for the 192.168.105.* subnet, for which forwarding
# be restricted to masqerading, and will allow these packets to go
# absolutely anywhere.
ipfwadm -F -a m -S 192.168.105.0/24 -D 0.0.0.0/0
That's all you need to prevent direct access from the internet.
This does not secure the gateway in any respect. If they get a login on
that machine, or perverts some process on it, then they can communicate
with machines on the private subnet. That machine is your weak point,
and you should take care to disable unnessiary services in
/etc/inetd.conf, and make sure you've got recent versions of all programs
on there, with all security patches applied.
The memory remains <memory at humbug.org.au>
/// /// /// /// /// ///
/// /// /// /// /// /// /// ///
/// // /// ///
/// /// /// /// //////// ///
/// /// ///// ///
Web page at http://student.uq.edu.au/~s335810
----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe
More information about the General
mailing list