Re: firewall newbie questions
On 10/04/2004 Daniel Pittman wrote:
> > [...]
> > same class C net, the forth in another. This way I workaround the two
> > nameservers from different class c nets required by denic to set new
> > nameserver entries for .de domains. My luck that my hosting center
> > supports that *g*
>
> Just a note: you would be better off trying to find a real secondary DNS
> server, not faking it like this. Your system will be *much* more
> reliable as a result. Most of these rules exist for good reasons. :)
yea, I know that. But as long as the dnsserver only holds domains that
are local to the server it's not that worse, and I'll surely add another
secondary nameserver as soon as possible, but since we are a small
company, and this is our first own server, it's not that easy to find
another one.
> > maybe you can point me to the right docs or simply to the right
> > firewall tools.
>
> Well, I use and recommend the 'firehol' script for this sort of work.
> It is quite simple to set up initially, but also very powerful and able
> to integrate anything you want to do nicely.
>
> It is packaged in testing and unstable, or trivial to backport as it has
> no real dependencies other than bash, awk and so.
yea, sounds really nice, but yesterday I fucked my system with fiaif
only executing a 'iptables -F INPUT' and this way locking out everything
from my server.
To prevent this, I don't plan to install some firewall scripts that have
a paranoidal default configuration and this way block for example the
ssh server -> don't allow any login from remote any longer.
Since the package you recommented, 'firehol' has a note at description,
called: "The default configuration file will allow only client traffic on
PPP and ethernet interfaces.", I'm made a little bit confiused about if
to install the package.
a short hint would be cool.
bye
jonas
Reply to: