[H-GEN] Firewall configuration on a remote machine

gavin duley gavin at microcomaustralia.com.au
Tue Feb 8 21:18:54 EST 2011


I have a Linux VPS server (i.e., it is a figment of Xen's somewhat overactive imagination) with panix.com. Mostly, I think it's fairly secure -- e.g. I run sshd on a non-standard port, and have few services running, etc. I have iptables and ip6tables installed, but I know they're not really configured properly. I do need have some sort of well configured firewall, I think. Especially if I ever get around to running my own mail server (see the discussion on the LCA2011 list about 'escaping the cloud'...).

I had someone recently suggest shorewall, and this does seem like a good option. However, it does warn[1] not to attempt to install on a remote server:

"Do not attempt to install Shorewall on a remote system. You are virtually assured to lock yourself out of that system."

This *may* not be as much of a problem as I'm worrying, as even if I cannot access the server via ssh, I can log on via a local tty using panix's console server[2]. Since it is a Xen virtual machine located somewhere in the US, physical access is of course not an option, though.

I guess my two questions then are:
Should I be as paranoid as I am about installing shorewall on a remote system?
If I should avoid shorewall, what are my other options? (other than learning iptables).



[1] http://www.shorewall.net/shorewall_quickstart_guide.htm
[2] http://www.panix.com/corp/v-colo/vfaq.html#console

More information about the General mailing list