[H-GEN] Firewall configuration on a remote machine

David Seikel onefang at gmail.com
Wed Feb 9 00:00:46 EST 2011


On Wed, 9 Feb 2011 12:18:54 +1000 gavin duley
<gavin at microcomaustralia.com.au> wrote:

> I have a Linux VPS server (i.e., it is a figment of Xen's somewhat
> overactive imagination) with panix.com. Mostly, I think it's fairly
> secure -- e.g. I run sshd on a non-standard port, and have few
> services running, etc. I have iptables and ip6tables installed, but I
> know they're not really configured properly. I do need have some sort
> of well configured firewall, I think. Especially if I ever get around
> to running my own mail server (see the discussion on the LCA2011 list
> about 'escaping the cloud'...).
> 
> I had someone recently suggest shorewall, and this does seem like a
> good option. However, it does warn[1] not to attempt to install on a
> remote server:
> 
> "Caution
> "Do not attempt to install Shorewall on a remote system. You are
> virtually assured to lock yourself out of that system."

They say that because the default state of shorewall, when it is not
"up" as such, is to close everything.  In general this is a good
thing, but the problem then is that you then cannot connect to the box
remotely with ANY protocol.  Also, should you mis-configure it, you
may accidentally lock yourself out of the port you are using to do the
configuring.  This applies to any firewall though.

Being virtual, it may have file system partitions that are accessible
outside the virtual box.  Depends on how that is set up.  That can both
be a life saver if you screw up your firewall, and one other way to
attack your system.

As always when dealing with remote servers with anything that could
stop it being accessible remotely (rebooting, updates, etc), always
handy to have someone local to the box ready with a crash cart.  Also
good to get things tested and running on a local box, then just
transfer it over the 'net when you think it's good.

-- 
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20110209/fd252007/attachment.sig>


More information about the General mailing list