Re: [CentOS] firewall questions

[tbuchanan]

working on it.  some other issues got in the way of testing.


-- 
Ted Buchanan
Computer/Network Analyst - Vincennes University
tbucha...@vinu.edu



From:   "Jon LaBadie" 
To: "Jon LaBadie" 
Date:   06/22/2020 04:57 PM
Subject:    Re: [CentOS] firewall questions
Sent by:"CentOS" 



On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific 
ip
> blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
and
> 118.0.0.0/24, and they amounted to a multiple thousands of attempts per 
day.
> I installed and configured fail2ban, but still saw a lot of attempts in 
the
> logs, and the ipset created was filling up.
> 
What type of ipset did you create, perhaps hash:ip where individual
addresses are listed?  If so, consider switching to hash:net which
uses CIDR style entries.  Individual addresses become 1.2.3.4/32
but blocks can be included with a single entry.  My ipset has about
40,000 entries, but covers millions of IP addresses.

If you do switch look on the net for a program called "cidrmerge".
It takes a list of IP addresses and CIDR networks, sorts them
and merges multiple entries into a single network where possible.

Jon
-- 
Jon H. LaBadie  j...@labadie.us
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Jon LaBadie]

On Sun, Jun 21, 2020 at 02:33:18PM -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific ip
> blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 and
> 118.0.0.0/24, and they amounted to a multiple thousands of attempts per day.
> I installed and configured fail2ban, but still saw a lot of attempts in the
> logs, and the ipset created was filling up.
> 
What type of ipset did you create, perhaps hash:ip where individual
addresses are listed?  If so, consider switching to hash:net which
uses CIDR style entries.  Individual addresses become 1.2.3.4/32
but blocks can be included with a single entry.  My ipset has about
40,000 entries, but covers millions of IP addresses.

If you do switch look on the net for a program called "cidrmerge".
It takes a list of IP addresses and CIDR networks, sorts them
and merges multiple entries into a single network where possible.

Jon
-- 
Jon H. LaBadie  j...@labadie.us
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Erick Perez - Quadrian Enterprises]

Please take a look at https://www.wireguard.com/quickstart/
we now reduced the attack vector to only the things offered to the public
(https, smtp tls and imaps/s)

On Sun, Jun 21, 2020 at 3:58 PM Pete Biggs  wrote:

> On Sun, 2020-06-21 at 16:47 -0400, mailist wrote:
> > On 2020-06-21 15:33, Chuck Campbell wrote:
> > > I'm running Centos 7.8.2003, with firewalld.
> > >
> > > I was getting huge numbers of ssh attempts per day from a few specific
> > > ip blocks.
> >
> > If you can control the ssh clients, switch your port number to a
> > non-standard
> > port.  Pick one in /etc/services that does not seem to be allocated.
> > Then change
> > "Port" in ssh_config and sshd_config;  If other clients are being used
> > (like Putty),
> > it is easy to change it there.
> >
> > We used to get at least 50 probes per day on port 22.  Now we get zero.
> >
> I used this technique for a number of years - then it got leaked to the
> script kiddies the port that was used. We don't have anything
> particularly valuable that they were looking for (I don't think!), but
> there are lists of subnets & ports out there that the kiddies use so
> once one found it, the flood gates opened.  SSH is now protected behind
> a VPN.
>
> It's a valid thing to do and makes things much saner, but don't assume
> it is a forever solution and don't use it as an excuse to reduce other
> protections you may have.
>
> P.
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 

-
Erick Perez
Quadrian Enterprises S.A. - Panama, Republica de Panama
Skype chat: eaperezh
WhatsApp IM: +507-6675-5083
-
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Pete Biggs]

On Sun, 2020-06-21 at 16:47 -0400, mailist wrote:
> On 2020-06-21 15:33, Chuck Campbell wrote:
> > I'm running Centos 7.8.2003, with firewalld.
> > 
> > I was getting huge numbers of ssh attempts per day from a few specific
> > ip blocks.
> 
> If you can control the ssh clients, switch your port number to a 
> non-standard
> port.  Pick one in /etc/services that does not seem to be allocated.  
> Then change
> "Port" in ssh_config and sshd_config;  If other clients are being used 
> (like Putty),
> it is easy to change it there.
> 
> We used to get at least 50 probes per day on port 22.  Now we get zero.
> 
I used this technique for a number of years - then it got leaked to the
script kiddies the port that was used. We don't have anything
particularly valuable that they were looking for (I don't think!), but
there are lists of subnets & ports out there that the kiddies use so
once one found it, the flood gates opened.  SSH is now protected behind
a VPN.

It's a valid thing to do and makes things much saner, but don't assume
it is a forever solution and don't use it as an excuse to reduce other
protections you may have.

P.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[mailist]

On 2020-06-21 15:33, Chuck Campbell wrote:

I'm running Centos 7.8.2003, with firewalld.

I was getting huge numbers of ssh attempts per day from a few specific
ip blocks.


If you can control the ssh clients, switch your port number to a 
non-standard
port.  Pick one in /etc/services that does not seem to be allocated.  
Then change
"Port" in ssh_config and sshd_config;  If other clients are being used 
(like Putty),

it is easy to change it there.

We used to get at least 50 probes per day on port 22.  Now we get zero.

Todd Merriman
Software Toolz, Inc.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[Pete Biggs]

On Sun, 2020-06-21 at 14:33 -0500, Chuck Campbell wrote:
> I'm running Centos 7.8.2003, with firewalld.
> 
> I was getting huge numbers of ssh attempts per day from a few specific 
> ip blocks.
> 
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24 
> and 118.0.0.0/24, and they amounted to a multiple thousands of attempts 
> per day.

It seems oddly coincidental that they are all x.0.0.y addresses - the
netblocks they belong to are all much bigger than /24.  I can
understand getting attacks from a range of IPs from an ISP or the like,
but the 51.0.0.0/24 is part of a UK government network and I think they
would be all over it if a range of their network was being used for
naughty purposes.

> 
> I did some more research, and decided to use a few rich rules to block 
> these attempts. I currently have these in place:
> 
> #firewall-cmd --list-all
> public (active)
>target: default
>icmp-block-inversion: no
>interfaces: p3p1
>sources:
>services: dhcpv6-client ftp http https imap imaps pop3 pop3s 
> smtp-submission smtps ssh
>ports: 110/tcp 995/tcp 143/tcp 993/tcp 25/tcp 21/tcp
>protocols:
>masquerade: no
>forward-ports:
>source-ports:
>icmp-blocks:
>rich rules:
>  rule family="ipv4" source address="49.0.0.0/24" reject
>  rule family="ipv4" source address="51.0.0.0/24" reject
>  rule family="ipv4" source address="111.0.0.0/24" reject

Is that the correct interface referred to in the zone?  Can you see the
rich rules implemented properly in the output of 'iptables -L'? (They
should be in the chain IN_public_deny.)

> 
> But I still get hundreds of attempts reported in my fail2ban logs from 
> these ip blocks. How is it that the rich rules don't drop these packets 
> before pam/ssh/fail2ban ever get to see them?

Is fail2ban stopping the individual hosts? Do you have the recidive
rule enabled to permaban them?

Do you get legitimate SSH connections from anywhere?  Can you remove
the ssh service and add rich rules to allow certain hosts or netblocks
to connect via port 22?

Finally, do you have a network firewall that can be used to block the
connections?

> There must be some precedence in the firewalling I don't understand.

Yes, there is a precedence, but it should be working in your favour -
the chain 'IN_public' contains the public inbound chain and it should
contain:

   # iptables -L IN_public
   Chain IN_public (2 references)
   target prot opt source   destination 
   IN_public_log  all  --  anywhere anywhere
   IN_public_deny  all  --  anywhere anywhere
   IN_public_allow  all  --  anywhere anywhere
   ACCEPT icmp --  anywhere anywhere

So it should be denying packets before the allowing them (and
the IN_public_allow chain is what contains your ssh service
definition).

P.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall questions

[John Pierce]

On Sun, Jun 21, 2020 at 12:33 PM Chuck Campbell 
wrote:

> I'm running Centos 7.8.2003, with firewalld.
>
> I was getting huge numbers of ssh attempts per day from a few specific
> ip blocks.
>
> The offenders are 45.0.0.0/24, 49.0.0.0/24, 51.0.0.0/24, 111.0.0.0/24
> and 118.0.0.0/24,
>


so just 45.0.0.0 through 45.0.0.255 and not other 45.x.y blocks ?  ditto
your other networks?sure you didn't mean /8 or another sized subnet on
there?

doing some whois,  the actual 45.0.0.0 block has a netmask of /15, which is
45.0.0.0 through 45.1.255.255, and belongs to Interop, the IT trade show.
45.2.0.0/16 belongs to Frontier Networks in Ontario, CA
45.3.0.0/19 belongs to Start Cable in Ontario
45.3.32.0/19 belongs to someone in Los Vegas.
45.3.64.0/18 belongs to Virginia Polytechnic
45.3.128.0/17 belongs to Charter Cable (formerly Bright House Networks)
45.4.0.0/14 is LANIC, and further diced into a multitude of Latin America
networks.
45.8.0.0/13 is RIPE, and diced into various european networks.
etc etc etc.


anyways, I didn't see your rules explicitly blocking 22/tcp, which is ssh...

-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Tony Mountifield]

In article ,
Paul Heinlein  wrote:
> On Tue, 16 Jun 2020, Leroy Tennison wrote:
> 
> > I have a gateway machine (currently Centos 7 with IPV4 only) with two
> > NICs.  One is connected to the internet, the other to an internal
> > network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
> > android phones, linux boxes) using NAT.  I wish to block all outgoing
> > connects to any external IP address on port 22 (ssh) originating from
> > any internal machine except one (which has a known internal IP address).
> >
> > I've tried some commands using 'iptables' to accomplish this, but so
> > far have failed.  If anyone has a suggestion, I'd really appreciate
> > it.  In addition, a suitable version for 'firewalld' could be useful,
> > as an upgrade to Centos 8 is in plan.
> >
> > Examples of what I've tried, and then tested.  None of them stopped
> > an outgoing SSH from an internal system.
> >
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> >   iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
> 
> I'm not sure it's your INPUT table that needs that rule. I don't have 
> any NAT machines for experimentation, but my initial hunch is that 
> you'd want OUTPUT rules, e.g.,
> 
> iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

No, the OUTPUT chains apply to traffic originating within the machine
itself (the gateway machine).

But for traffic being forwarded by the gateway, it will use the FORWARD
chains rather than the INPUT chains. So probably something like this:

iptables -A FORWARD -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

Cheers
Tony
-- 
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Simon Matter via CentOS]

> At 03:47 PM 6/16/2020, Kenneth Porter wrote:
>>The rule is in the wrong chain. The INPUT chain affects packets that
>>terminate at the same machine. You want to block packets that will
>>be passed on to the Internet, so your rule needs to be in the
>>FORWARD chain. (The OUTPUT chain affects packets that originate at
>>your machine.)
>>
>>Here's a nice collection of diagrams showing how packets flow
>>through the system:
>>
>>
>
>
> Ah ... Caught it.  So here is the IPTABLES method to block output on
> port 22 from internal machines on a gateway:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j DROP
>
> So, for example, if your internal interface is, for example,
> /dev/enp2s0, you'd write
>
>iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP
>
> If you want to log such attempts, preceed it with a log
> request.  Since I'm using the -I command (insert at top), it means
> the log request is entered second:
>
>iptables -I FORWARD -p tcp --dport 22 -i
> {name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"
>
>
> If someone can suggest a firewall-cmd equivalent, it would be nice.

For that kind of firewalling, I suggest to use Shorewall instead:

https://shorewall.org/

IMHO it's the better tool for where you need more than a "personal" firewall.

Regards,
Simon

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[Kenneth Porter]

--On Tuesday, June 16, 2020 5:20 PM -0700 david  wrote:


If someone can suggest a firewall-cmd equivalent, it would be nice.


Alas, firewalld is targeted at end nodes and doesn't really provide much 
facility for routers. Its big advantage there is in setting up a reasonable 
default firewall for the gateway itself. The only real gateway support is 
to enable masquerade on the external interface.


I use firewalld direct rules for controlling the forwarded packets. They 
look like iptables rules and get injected into firewalld's own subchains. 
Use "iptables -L -v -n" to dump the whole mess into a file for examination.


In /etc/firewalld/direct.xml, you could add an XML passthrough node like 
this:


-I FWDI_internal_deny 1 -p tcp --dport 22 -j 
DROP


This assumes your internal zone is named internal. Change the chain name to 
match your zone name. You don't need to specify the interface name here 
because the FWDI_internal chain is only invoked if the inbound interface 
matches an interface in that zone.


Also note that the -I option takes a chain name and a number indicating 
where to insert a rule. I use 1 to put the rule at the start of any rules 
that firewalld has already inserted. So if you need a LOG rule, you'll want 
to put the nodes in reverse order in the XML file so they get inserted 
backwards, last rule first. Ie. insert the DROP rule, then the LOG rule.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request (solved)

[david]

At 03:47 PM 6/16/2020, Kenneth Porter wrote:
The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will 
be passed on to the Internet, so your rule needs to be in the 
FORWARD chain. (The OUTPUT chain affects packets that originate at 
your machine.)


Here's a nice collection of diagrams showing how packets flow 
through the system:






Ah ... Caught it.  So here is the IPTABLES method to block output on 
port 22 from internal machines on a gateway:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j DROP


So, for example, if your internal interface is, for example, 
/dev/enp2s0, you'd write


  iptables -I FORWARD -p tcp --dport 22 -i enp2s0 -j DROP

If you want to log such attempts, preceed it with a log 
request.  Since I'm using the -I command (insert at top), it means 
the log request is entered second:


  iptables -I FORWARD -p tcp --dport 22 -i 
{name-of-internal-interface} -j LOG --log-prefix "LOOK HERE"



If someone can suggest a firewall-cmd equivalent, it would be nice.

David in SF

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Kenneth Porter]

The rule is in the wrong chain. The INPUT chain affects packets that 
terminate at the same machine. You want to block packets that will be 
passed on to the Internet, so your rule needs to be in the FORWARD chain. 
(The OUTPUT chain affects packets that originate at your machine.)


Here's a nice collection of diagrams showing how packets flow through the 
system:




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[Paul Heinlein]

On Tue, 16 Jun 2020, Leroy Tennison wrote:


I have a gateway machine (currently Centos 7 with IPV4 only) with two
NICs.  One is connected to the internet, the other to an internal
network (10.0.0.0/24) of mixed hardware (windows7, android tablets,
android phones, linux boxes) using NAT.  I wish to block all outgoing
connects to any external IP address on port 22 (ssh) originating from
any internal machine except one (which has a known internal IP address).

I've tried some commands using 'iptables' to accomplish this, but so
far have failed.  If anyone has a suggestion, I'd really appreciate
it.  In addition, a suitable version for 'firewalld' could be useful,
as an upgrade to Centos 8 is in plan.

Examples of what I've tried, and then tested.  None of them stopped
an outgoing SSH from an internal system.

  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
  iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP


I'm not sure it's your INPUT table that needs that rule. I don't have 
any NAT machines for experimentation, but my initial hunch is that 
you'd want OUTPUT rules, e.g.,


iptables -A OUTPUT -p tcp --dport 22 -s ${GOODIP}/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -s 10.0.0.0/24  -j REJECT

--
Paul Heinlein
heinl...@madboa.com
45°38' N, 122°6' W
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 1:26 PM david  wrote:

>
> ...  I'm assuming
> that your advice about LAN represents the internal network because on
> most routers, it is, and WAN is the internet connection.
>
>
>
yeah, LAN == Local Area Network,  WAN == Wide Area Network, generally
meaning the internet.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[david]

At 12:30 PM 6/16/2020, John Pierce wrote:

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


At your suggestion, the command became

iptables -I INPUT -p tcp --dport 22 -i enp3s0 -s 10.0.0.0/24 -j DROP

where enp3s0 is the internal NIC with address 10.0.0.1.  I'm assuming 
that your advice about LAN represents the internal network because on 
most routers, it is, and WAN is the internet connection.


And ssh worked :-(
unfortunately

I know that many ISPs block outgoing port 25, so I know this is do-able.

David 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall help request

[John Pierce]

On Tue, Jun 16, 2020 at 12:26 PM david  wrote:

>
> Examples of what I've tried, and then tested.  None of them stopped
> an outgoing SSH from an internal system.
>
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j DROP
>
>
>
which interface is that bound to?   I don't see a -i eth0 or whatever, but
you want that rule on your LAN interface.

note these rules will also prevent any host on 10.0.0.0/24 from ssh'ing to
the gateway machine itself.


-- 
-john r pierce
  recycling used bits in santa cruz
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall trouble with Kickstart

[Patrick Begou]

Damned! I do not know how many time I check this line without finding my error!
Thanks Mark :-)

Mark Milhollan wrote:

On Fri, 21 Sep 2018, Patrick Begou wrote:


firewall --enabled --ssh --service=nfs --port=111:tcp,111:upd,875:tcp,875:upd

udp not upd.


/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




--
===
|  Equipe M.O.S.T. |  |
|  Patrick BEGOU   | mailto:patrick.be...@grenoble-inp.fr |
|  LEGI|  |
|  BP 53 X | Tel 04 76 82 51 35   |
|  38041 GRENOBLE CEDEX| Fax 04 76 82 52 71   |
===

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall trouble with Kickstart

[Mark Milhollan]

On Fri, 21 Sep 2018, Patrick Begou wrote:

> firewall --enabled --ssh --service=nfs --port=111:tcp,111:upd,875:tcp,875:upd

udp not upd.


/mark
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Jonathan Billings]

On Jun 8, 2016, at 6:48 AM, Steve Clark  wrote:
> I must be missing something here, so the system comes up, ip(s) are assigned 
> to the interface, routes, etc then sometime later the switch comes up and you
> ssh in. Never been a problem for me.

Even with static configurations, I’ve had this problem.  At least in RHEL6, if 
the switch doesn’t indicate the interface is up during boot, the ‘network’ 
service detects the down interface and never starts the network service.  full 
stop.  I’ve also seen this happen when the switch has a broadcast storm or some 
other networking problem and doesn’t become active for more than a minute after 
boot.  Often I’ll have to add a line to the ifcfg-* script to have it just 
sleep for 60 seconds before even trying to activate the interface, when I know 
the system is on a switch that takes a long time to perform its splay tree 
calculation.  (Many of my systems are on networks I have no control over, so I 
have to just work around problems like this.)

I’ve always used NM in RHEL7 so I’m not aware if systemd is smart about dynamic 
interface activation of the ‘network’ service.  NM in RHEL7 is so much better 
than in RHEL6 so I haven’t really needed anything else.

--
Jonathan Billings 


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Steve Clark]

On 06/07/2016 04:46 PM, Jonathan Billings wrote:

On Jun 7, 2016, at 13:03, Emmett Culley  wrote:

I can see no use case for NetwortManager on our systems.  All network 
connections are static.

There are a couple reasons I still use NetworkManager on servers, but one big 
one is that the 'network' service runs once, on boot.  If there is no network 
connection, your server's network connection will never come up until you log 
in at a console to fix it or reboot. With the speed of computers these days, 
our servers often boot up faster than the networking equipment after a power 
cut.

I must be missing something here, so the system comes up, ip(s) are assigned to 
the interface, routes, etc then sometime later the switch comes up and you
ssh in. Never been a problem for me.


--
Jonathan Billings
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Emmett Culley]

On 06/07/2016 01:46 PM, Jonathan Billings wrote:
> On Jun 7, 2016, at 13:03, Emmett Culley  wrote:
>>
>> I can see no use case for NetwortManager on our systems.  All network 
>> connections are static.
> 
> There are a couple reasons I still use NetworkManager on servers, but one big 
> one is that the 'network' service runs once, on boot.  If there is no network 
> connection, your server's network connection will never come up until you log 
> in at a console to fix it or reboot. With the speed of computers these days, 
> our servers often boot up faster than the networking equipment after a power 
> cut. 
> 
> --
> Jonathan Billings

As far as I know the network service, in most cases started by systemd, will 
not fail simply because the network an interface is connected to is not up.  
Unless, of course, the interface is set up to use DHCP.


Emmett
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[m . roth]

Frank Cox wrote:
> On Tue, 7 Jun 2016 17:20:23 -0400
> m.r...@5-cent.us wrote:
>
>> Um, huh? ssh server;service network restart is certainly faster than a
>> reboot.
>
> By what magical incantation will you ssh into a server with no current
> network connection?
>
Plugging in my monitor-on-a-stick. It's still faster than rebooting.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Frank Cox]

On Tue, 7 Jun 2016 17:20:23 -0400
m.r...@5-cent.us wrote:

> Um, huh? ssh server;service network restart is certainly faster than a
> reboot.

By what magical incantation will you ssh into a server with no current network 
connection?

-- 
MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[m . roth]

Jonathan Billings wrote:
> On Jun 7, 2016, at 13:03, Emmett Culley 
> wrote:
>>
>> I can see no use case for NetwortManager on our systems.  All network
>> connections are static.
>
> There are a couple reasons I still use NetworkManager on servers, but one
> big one is that the 'network' service runs once, on boot.  If there is no
> network connection, your server's network connection will never come up
> until you log in at a console to fix it or reboot. With the speed of
> computers these days, our servers often boot up faster than the networking
> equipment after a power cut.
>
Um, huh? ssh server;service network restart is certainly faster than a
reboot.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Jonathan Billings]

On Jun 7, 2016, at 13:03, Emmett Culley  wrote:
> 
> I can see no use case for NetwortManager on our systems.  All network 
> connections are static.

There are a couple reasons I still use NetworkManager on servers, but one big 
one is that the 'network' service runs once, on boot.  If there is no network 
connection, your server's network connection will never come up until you log 
in at a console to fix it or reboot. With the speed of computers these days, 
our servers often boot up faster than the networking equipment after a power 
cut. 

--
Jonathan Billings
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[cpolish]

On 2016-06-07 10:03, Emmett Culley wrote:
> On 06/07/2016 05:05 AM, James Hogarth wrote:
> > On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
> >>
> >> I have a number of machines (hardware and VMs) running CentOS 7.  I all
> > cases firewall-config is not functional.

Just a thought - CentOS7 _minimal_ install doesn't install 
a firewall. There were attempts to get Red Hat to reconsider
this, but they fixed it with documentation. 

If this is your problem, then "yum install firewall-config firewalld" 
might fix it.

HTH, HAND,
-- 
Charles Polisherr

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[Emmett Culley]

On 06/07/2016 05:05 AM, James Hogarth wrote:
> On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
>>
>> I have a number of machines (hardware and VMs) running CentOS 7.  I all
> cases firewall-config is not functional.
>>
>> First, the service check boxes are not functional.  When you click on
> one, it  don't change to "checked", and nothing changes on the firewall.
> However you do see a "Changes applied"
>>
>> Sometimes, f you go to permanent mode and attempt to edit a zone, the
> whole desktop locks up as soon as you click on the default target dropdown.
>>
>> When I run firewall-config from the command line I see the following:
>>
>> --
>>
>> org.freedesktop.DBus.Error.ServiceUnknown: The name
> org.freedesktop.NetworkManager was not provided by any .service files
>>
>> (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos:
> assertion 'tree_view != NULL' failed
>>
>> --
>> with the second line repeating many times and often while attempting to
> interact with the GUI.
>>
>> We don't use NetworkManager except on laptops, and so do not install it.
> Though we do install NetworkManager-glib, if only because some packages
> require it.
>>
>> After seeing a similar bug on the RHEL I also installed
> NetworkManager-libnm, but that did not make a difference.  That RHEL bug
> also mentioned this problem only occurs on KDE, and not Gnome.  And we only
> install KDE when a GUI is required, or desired.
>>
> 
> I'd suggest you install and test with NetworkManager
> 
> Do note that the EL7 NM is a far cry from the one that shipped with EL6 and
> unless you specifically need a facility not exposed by NM it is strongly
> recommended you use it.
> 
> Take a look at my article on nmcli - it's rather lovely to use now:
> 
> https://www.hogarthuk.com/?q=node/8
> 
> As for the firewall tool... don't use it ... it's horrible
> 
> Either use firewall-cmd to configure at the CLI or switch to iptables and
> configure that as you did EL6

I actually like the firewall config tool as it provides easy, out of the box, 
management of servers that don't require complicated iptables rules.  At least 
it was easy when it worked.  For more complicated servers, like gateways, we 
use shorewall.

I can see no use case for NetwortManager on our systems.  All network 
connections are static.

The exception to that is a couple of laptops, and I agree that NetworkManager 
has gotten very handy in that single use case.

Making any application dependent on NetworkManager is just plain silly.  Even 
requiring installation of the NetworkManager libs should not be required.

I suspect that this should probably be brought with the KDE group as it seems 
to be a problem with how some GTK apps are working within the KDE environment.

Emmett


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall-config not functional

[James Hogarth]

On 7 Jun 2016 12:44, "Emmett Culley"  wrote:
>
> I have a number of machines (hardware and VMs) running CentOS 7.  I all
cases firewall-config is not functional.
>
> First, the service check boxes are not functional.  When you click on
one, it  don't change to "checked", and nothing changes on the firewall.
However you do see a "Changes applied"
>
> Sometimes, f you go to permanent mode and attempt to edit a zone, the
whole desktop locks up as soon as you click on the default target dropdown.
>
> When I run firewall-config from the command line I see the following:
>
> --
>
> org.freedesktop.DBus.Error.ServiceUnknown: The name
org.freedesktop.NetworkManager was not provided by any .service files
>
> (firewall-config:5079): Gtk-CRITICAL **: gtk_tree_view_get_path_at_pos:
assertion 'tree_view != NULL' failed
>
> --
> with the second line repeating many times and often while attempting to
interact with the GUI.
>
> We don't use NetworkManager except on laptops, and so do not install it.
Though we do install NetworkManager-glib, if only because some packages
require it.
>
> After seeing a similar bug on the RHEL I also installed
NetworkManager-libnm, but that did not make a difference.  That RHEL bug
also mentioned this problem only occurs on KDE, and not Gnome.  And we only
install KDE when a GUI is required, or desired.
>

I'd suggest you install and test with NetworkManager

Do note that the EL7 NM is a far cry from the one that shipped with EL6 and
unless you specifically need a facility not exposed by NM it is strongly
recommended you use it.

Take a look at my article on nmcli - it's rather lovely to use now:

https://www.hogarthuk.com/?q=node/8

As for the firewall tool... don't use it ... it's horrible

Either use firewall-cmd to configure at the CLI or switch to iptables and
configure that as you did EL6
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Deno Sayangda Dangpaliw]

Hi,

There's something weird happening to my CentOS VMs, cannot switch back to GUI. 
Black screen with a single underscore character at top left of the screen.

Ok so I have ESXI 5.1 host, with 3 VM all running CentOS. I rebooted the esxi 
host yesterday for a power maintenance. All went well... until I switched 
console on the vms.

I was able to login using the GUI, then I pressed Alt F5, then I was sent to 
the text console... I usually do this to save energy. I did the same for all 
the Centos vm... now I wanted to switch back to GUI but I can't. I even pressed 
all the keys from F1 to F12 but were not able to get back to the GUI for all 
the VMs.

Can you please advise where Im missing?

Regards,
Deno

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Steve Clark]

On 06/26/2014 09:18 AM, Jerry Geis wrote:
 I have a firewall rule to drop packets from certain addresses: (email spam)
 my /etc/sysconfig/iptables begins as:

 # Generated by iptables-save v1.4.7 on Thu Jun 26 09:11:09 2014
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1:148]
 -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
 -A INPUT -s 223.255.229.0/24 -j DROP
 -A INPUT -s 218.96.0.0/24 -j DROP
 -A INPUT -s 216.227.128.0/24 -j DROP
 -A INPUT -s 216.156.135.0/24 -j DROP
 -A INPUT -s 213.251.189.0/24 -j DROP
 -A INPUT -s 213.239.219.0/24 -j DROP
 -A INPUT -s 213.205.32.0/24 -j DROP
 -A INPUT -s 213.136.70.0/24 -j DROP
 -A INPUT -s 212.178.110.0/24 -j DROP
 -A INPUT -s 212.83.141.0/24 -j DROP
 -A INPUT -s 212.83.136.0/24 -j DROP
 -A INPUT -s 212.83.134.0/24 -j DROP
 -A INPUT -s 210.107.197.0/24 -j DROP
 -A INPUT -s 209.239.123.0/24 -j DROP
 -A INPUT -s 209.133.56.0/24 -j DROP
 -A INPUT -s 209.126.73.0/24 -j DROP
 -A INPUT -s 209.126.72.0/24 -j DROP
 -A INPUT -s 209.126.71.0/24 -j DROP
 -A INPUT -s 209.126.70.0/24 -j DROP
 -A INPUT -s 198.101.11.0/24 -j DROP

 then /var/log/maillog gices this entry.

 from=grif...@dree.eu, size=9037, class=0, nrcpts=1, msgid=
 3542.159.259897.271...@dree.eu , proto=ESMTP, daemon=MTA,
 relay=[198.101.11.141]


 How is that coming through???

 Why is the firewall not dropping the packets?
 I have restarted iptables so the rules are active .

 And just to make sure:
 iptables -L -n | grep 198.101
 DROP   all  --  198.101.11.0/24  0.0.0.0/0

 Thoughts?

 Thanks.

 Jerry
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

If you add a -v to your

iptables -L -n | grep 198.101

are you seeing the rule get hit?


-- 
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Jerry Geis]

yes I am seeing it hit.

 iptables --list -n -v | grep 198.101
8   416 DROP   all  --  *  *   198.101.11.0/24
0.0.0.0/0

Jerry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Private Sender]

Try

watch iptables -nvL INPUT

Do you see anything?

Also try moving your ACCEPT statements below all of your drops. Iptables
operates in sequential order, from the top down.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall question

[Jerry Geis]

Actually I think I was wrong... Somehow the mail is landing on my box (from
an address I am not blocking)
and this particular email is requesting going OUT of my box. Seems the
firewall operating fine. I just
looked at it incorrectly.

Jerry
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Steve Clark]

On 10/15/2013 06:05 PM, SilverTip257 wrote:
 On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator and
That is correct - we do you AES which is an easier calculation than 3DES
 the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
 integrated crypto accelerator [2].  If it wasn't for your web proxy
 requirements, etc an ALIX might fit the bill (with the right embedded OS -
 think Voyage Linux). You're better off with the hardware you're researching
 right now though.

 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3


 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
 I've not worked with Atom processors but I'll look in to it.

 Thanks for the info.


 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf
 Of SilverTip257
 Sent: Tuesday, October 15, 2013 12:36 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] Firewall/Gateway Hardware Question

 On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
 wrote:
 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure if this will work.

 You'll likely need to determine how many VPN tunnels you're going to run
 simultaneously and then find benchmarks on the web.


 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?

 Seems like overkill to me.

 I'd suggest more along the lines of an Atom-CPU based system.  One of
 those
 mini-ITX setups that use 20W or thereabouts.

 Just my two cents.


 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos



 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos





-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Mihamina RKTMB]

On 10/15/2013 07:29 PM, Terre Porter wrote:
 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Except for HTTP cache, my opinion is an OpenWRT box will do it.
If you need an HDD, I would go for a Lanner with HDD: http://goo.gl/52mXqx

-- 
+261 34 81 738 69

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[SilverTip257]

On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:

 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure
 if this will work.


You'll likely need to determine how many VPN tunnels you're going to run
simultaneously and then find benchmarks on the web.



 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Seems like overkill to me.

I'd suggest more along the lines of an Atom-CPU based system.  One of those
mini-ITX setups that use 20W or thereabouts.

Just my two cents.



 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

I've not worked with Atom processors but I'll look in to it.

Thanks for the info.


-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of SilverTip257
Sent: Tuesday, October 15, 2013 12:36 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:

 I've given up on getting the other machine to work so I'm looking at 
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with 
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am 
 unsure if this will work.


You'll likely need to determine how many VPN tunnels you're going to run
simultaneously and then find benchmarks on the web.



 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?


Seems like overkill to me.

I'd suggest more along the lines of an Atom-CPU based system.  One of those
mini-ITX setups that use 20W or thereabouts.

Just my two cents.



 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Steve Clark]

Hi,

we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
average is .07.

HTH,
Steve

On 10/15/2013 02:13 PM, Terre Porter wrote:
 I've not worked with Atom processors but I'll look in to it.

 Thanks for the info.


 -Original Message-
 From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
 Of SilverTip257
 Sent: Tuesday, October 15, 2013 12:36 PM
 To: CentOS mailing list
 Subject: Re: [CentOS] Firewall/Gateway Hardware Question

 On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter tpor...@webpage-builders.com
 wrote:
 I've given up on getting the other machine to work so I'm looking at
 building a new one.

 The machine will be a firewall/gateway running NAT, Web Proxy with
 Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).

 I read so much about VPN encryption and the processor needs, now I am
 unsure if this will work.

 You'll likely need to determine how many VPN tunnels you're going to run
 simultaneously and then find benchmarks on the web.


 I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W Eight-Core
 Desktop Processor for under $120 (it's on sale), would it work ?

 Seems like overkill to me.

 I'd suggest more along the lines of an Atom-CPU based system.  One of those
 mini-ITX setups that use 20W or thereabouts.

 Just my two cents.


 Any thoughts?

 Thanks,
 Terre


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos





-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Fred Smith]

On Tue, Oct 15, 2013 at 02:31:03PM -0400, Steve Clark wrote:
 Hi,
 
 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.
 
 HTH,
 Steve

Some years back I used to run Smoothwall/GPL as a home firewall/router
on things such as 90 MHz pentiums (with 64 or even 128 MB RAM), or at
one point a 500 MHz AMD K6, and it had no load problems at all handling
the 3 or 4 of us here who share the household LAN. Therefore I'd think
that something such as an Atom would be entirely up to the task. There
are a number of (relatively) inexpensive Atom boards in a Micro-ATX or
Mini-ATX format that you could use, for example.

Fred

-- 
---
 .Fred Smith   /  
( /__  ,__.   __   __ /  __   : / 
 //  /   /__) /  /  /__) .+'   Home: fre...@fcshome.stoneham.ma.us 
//  (__ (___ (__(_ (___ / :__ 781-438-5471 
 Jude 1:24,25 -
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[SilverTip257]

On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load
 average is .07.


@Steve:
Based on your statement, I figure you do not have a crypto accelerator and
the CPU is handling all the crypto.  Correct?

@Terre:
I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
of performance, but they're low power consuming x86 processors.  And
there's the VIA Padlock [0] security/encryption engine.

AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
integrated crypto accelerator [2].  If it wasn't for your web proxy
requirements, etc an ALIX might fit the bill (with the right embedded OS -
think Voyage Linux). You're better off with the hardware you're researching
right now though.

[0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
[1] http://www.pcengines.ch/alix.htm
[2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3



 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
  I've not worked with Atom processors but I'll look in to it.
 
  Thanks for the info.
 
 
  -Original Message-
  From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
 Behalf
  Of SilverTip257
  Sent: Tuesday, October 15, 2013 12:36 PM
  To: CentOS mailing list
  Subject: Re: [CentOS] Firewall/Gateway Hardware Question
 
  On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
  wrote:
  I've given up on getting the other machine to work so I'm looking at
  building a new one.
 
  The machine will be a firewall/gateway running NAT, Web Proxy with
  Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).
 
  I read so much about VPN encryption and the processor needs, now I am
  unsure if this will work.
 
  You'll likely need to determine how many VPN tunnels you're going to run
  simultaneously and then find benchmarks on the web.
 
 
  I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
  Desktop Processor for under $120 (it's on sale), would it work ?
 
  Seems like overkill to me.
 
  I'd suggest more along the lines of an Atom-CPU based system.  One of
 those
  mini-ITX setups that use 20W or thereabouts.
 
  Just my two cents.
 
 
  Any thoughts?
 
  Thanks,
  Terre
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 
 


 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[S.Tindall]

On Tue, 2013-10-15 at 18:05 -0400, SilverTip257 wrote:

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator and
 the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an
 integrated crypto accelerator [2].  If it wasn't for your web proxy
 requirements, etc an ALIX might fit the bill (with the right embedded OS -
 think Voyage Linux). You're better off with the hardware you're researching
 right now though.
 
 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3

You should look at the single board computers sold by Soekris
Engineering.

 http://soekris.com

Specifically the net6501 series:

 http://soekris.com/products/net6501.html

 Specifications:

  •  600 Mhz to 1.6 Ghz Intel Atom E6xx single chip processor
 with EG20T companion chip 
  •  512 to 2048 Mbyte DDR2-SDRAM, soldered on board 
  •  2x SATA 3 Gbit interfaces with +5V and +12V power header
  •  4x Intel 82574L Gigabit Ethernet ports, Auto-MDIX RJ-45,
 protected to 700W/40A Surge 
  •  2x Serial ports, DB9 and 10 pins internal header
  •  USB 2.0 interface, 2x internal, 1x external port, bootable 
  •  1 Full Mini-PCI Express shared with mSATA socket.
  •  1 USB only Mini-PCI Express shared with mSATA socket
  •  2x PCI Express Slots, right angle 
  •  16 bit general purpose I/O, 24 pins header, connected to FPGA

...in either a tiny or a rackable box.

The number of lan slots can be increased above 4 by using expansion
cards.

Steve



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

Interesting looking hardware... thanks for the info

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
S.Tindall
Sent: Tuesday, October 15, 2013 8:29 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, 2013-10-15 at 18:05 -0400, SilverTip257 wrote:

 @Steve:
 Based on your statement, I figure you do not have a crypto accelerator 
 and the CPU is handling all the crypto.  Correct?

 @Terre:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in 
 terms of performance, but they're low power consuming x86 processors.  
 And there's the VIA Padlock [0] security/encryption engine.

 AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an 
 integrated crypto accelerator [2].  If it wasn't for your web proxy 
 requirements, etc an ALIX might fit the bill (with the right embedded 
 OS - think Voyage Linux). You're better off with the hardware you're 
 researching right now though.
 
 [0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
 [1] http://www.pcengines.ch/alix.htm
 [2] 
 http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3

You should look at the single board computers sold by Soekris Engineering.

 http://soekris.com

Specifically the net6501 series:

 http://soekris.com/products/net6501.html

 Specifications:

  •  600 Mhz to 1.6 Ghz Intel Atom E6xx single chip processor
 with EG20T companion chip
  •  512 to 2048 Mbyte DDR2-SDRAM, soldered on board
  •  2x SATA 3 Gbit interfaces with +5V and +12V power header
  •  4x Intel 82574L Gigabit Ethernet ports, Auto-MDIX RJ-45,
 protected to 700W/40A Surge
  •  2x Serial ports, DB9 and 10 pins internal header
  •  USB 2.0 interface, 2x internal, 1x external port, bootable
  •  1 Full Mini-PCI Express shared with mSATA socket.
  •  1 USB only Mini-PCI Express shared with mSATA socket
  •  2x PCI Express Slots, right angle
  •  16 bit general purpose I/O, 24 pins header, connected to FPGA

...in either a tiny or a rackable box.

The number of lan slots can be increased above 4 by using expansion cards.

Steve



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[Terre Porter]

I have must have been in a hardware vacuum, have a clue any of that hardware
you mentioned.

Added it to the research list - haha!

Thanks

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of SilverTip257
Sent: Tuesday, October 15, 2013 6:05 PM
To: CentOS mailing list
Subject: Re: [CentOS] Firewall/Gateway Hardware Question

On Tue, Oct 15, 2013 at 2:31 PM, Steve Clark scl...@netwolves.com wrote:

 Hi,

 we are running 51 ipsec vpns on an Atom D510 at 1.66ghz and the load 
 average is .07.


@Steve:
Based on your statement, I figure you do not have a crypto accelerator and
the CPU is handling all the crypto.  Correct?

@Terre:
I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
of performance, but they're low power consuming x86 processors.  And there's
the VIA Padlock [0] security/encryption engine.

AMD Geode CPUs like those in PC Engines ALIX [1] hardware have an integrated
crypto accelerator [2].  If it wasn't for your web proxy requirements, etc
an ALIX might fit the bill (with the right embedded OS - think Voyage
Linux). You're better off with the hardware you're researching right now
though.

[0] http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
[1] http://www.pcengines.ch/alix.htm
[2] http://www.twam.info/hardware/alix/using-geodes-aes-engine-on-alix3d3



 HTH,
 Steve

 On 10/15/2013 02:13 PM, Terre Porter wrote:
  I've not worked with Atom processors but I'll look in to it.
 
  Thanks for the info.
 
 
  -Original Message-
  From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] 
  On
 Behalf
  Of SilverTip257
  Sent: Tuesday, October 15, 2013 12:36 PM
  To: CentOS mailing list
  Subject: Re: [CentOS] Firewall/Gateway Hardware Question
 
  On Tue, Oct 15, 2013 at 12:29 PM, Terre Porter 
 tpor...@webpage-builders.com
  wrote:
  I've given up on getting the other machine to work so I'm looking 
  at building a new one.
 
  The machine will be a firewall/gateway running NAT, Web Proxy with 
  Dansguardian, DHCP, DNS, NTP and VPN (~6 clients).
 
  I read so much about VPN encryption and the processor needs, now I 
  am unsure if this will work.
 
  You'll likely need to determine how many VPN tunnels you're going to 
  run simultaneously and then find benchmarks on the web.
 
 
  I can get this for AMD FX-8120 Zambezi 3.1GHz Socket AM3+ 125W
 Eight-Core
  Desktop Processor for under $120 (it's on sale), would it work ?
 
  Seems like overkill to me.
 
  I'd suggest more along the lines of an Atom-CPU based system.  One 
  of
 those
  mini-ITX setups that use 20W or thereabouts.
 
  Just my two cents.
 
 
  Any thoughts?
 
  Thanks,
  Terre
 
 
  ___
  CentOS mailing list
  CentOS@centos.org
  http://lists.centos.org/mailman/listinfo/centos
 
 
 


 --
 Stephen Clark
 *NetWolves*
 Director of Technology
 Phone: 813-579-3200
 Fax: 813-882-0209
 Email: steve.cl...@netwolves.com
 http://www.netwolves.com
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




--
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall/Gateway Hardware Question

[John R Pierce]

On 10/15/2013 3:05 PM, SilverTip257 wrote:
 I don't know how VIA C7 CPUs stack up against the Intel Atom CPUs in terms
 of performance, but they're low power consuming x86 processors.  And
 there's the VIA Padlock [0] security/encryption engine.

I think the Atoms pretty much beat the living daylights out of the C7 
stuff, which were based on an architecture many generations old. some of 
the core I3/i5 laptop chips are very low power, too, and nearly as 
powerful as modern 2-4 core desktop processors..the current 
'Pentiums' are somewhere in between the Atom and the low end of the Core 
line.



-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Earl A Ramirez]

On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote:

 very perplexed here - I need to turn off iptables. Ive tried

 service iptables save
 service iptables stop
 chkconfig iptables off

 service ip6tables save
 service ip6tables stop
 chkconfig ip6tables off

 edited
 OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
 # Configuration file for system-config-firewall
 --disabled
 --service=ssh

 OPGX280 ~ :( # cat  /etc/selinux/config
 SELINUX=disabled

 OPGX280 ~ :( # chkconfig |grep ip
 ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off


 Yet - when I reboot  iptables gets started  - if I run

 OPGX280 ~ # /etc/rc.d/init.d/iptables status
 Table: filter
 Chain INPUT (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
 dpt:53
 2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
 dpt:53
 3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
 dpt:67
 4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
 dpt:67

 Chain FORWARD (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
 RELATED,ESTABLISHED
 2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
 3ACCEPT all  --  0.0.0.0/00.0.0.0/0
 4REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 5REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable


 Note --  192.168.122.0/24 is NOT my network, I just want the status to
 tell me iptables is NOT running

 What else can I look for??

 Thanks
 Bob
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


Hi Bob,

I am just shooting in the dark here, have you tried /sbin/iptables -F

-- 
Kind Regards
Earl Ramirez
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Bob Metelsky]

this is very strange

I ran your flush command.. worked untill reboot

I  came across this article
http://www.thegeekstuff.com/2011/01/redhat-iptables-flush/

Basically tell me  how to save a wide open rules file - I did this and
behaved like the doc describes

This is what I have now

OPGX280 ~ :( # cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sun Jul  7 09:14:11 2013
*filter
:INPUT ACCEPT [32:4712]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:5160]
COMMIT
# Completed on Sun Jul  7 09:14:11 2013

- until I reboot then I get the same jibberish...

OPGX280 ~ # /etc/rc.d/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
num  target prot opt source   destination
1MASQUERADE  tcp  --  192.168.122.0/24!192.168.122.0/24masq
ports: 1024-65535
2MASQUERADE  udp  --  192.168.122.0/24!192.168.122.0/24masq
ports: 1024-65535
3MASQUERADE  all  --  192.168.122.0/24!192.168.122.0/24

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target prot opt source   destination

Chain INPUT (policy ACCEPT)
num  target prot opt source   destination

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
num  target prot opt source   destination
1CHECKSUM   udp  --  0.0.0.0/00.0.0.0/0   udp
dpt:68 CHECKSUM fill

Table: filter
Chain INPUT (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:53
2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:53
3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:67
4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:67

Chain FORWARD (policy ACCEPT)
num  target prot opt source   destination
1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
RELATED,ESTABLISHED
2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
3ACCEPT all  --  0.0.0.0/00.0.0.0/0
4REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable
5REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target prot opt source   destination

I don't understand what or why  iptables is being called?

 I believe anything in /etc/rc.d/init.d/* will get run on startup. If I
move those files out of there - obviously the command wont work - but I
need to understand whats going on


I want status to tell me OFF

 /etc/rc.d/init.d/iptables status





On Sun, Jul 7, 2013 at 9:02 AM, Earl A Ramirez earlarami...@gmail.comwrote:

 On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote:

  very perplexed here - I need to turn off iptables. Ive tried
 
  service iptables save
  service iptables stop
  chkconfig iptables off
 
  service ip6tables save
  service ip6tables stop
  chkconfig ip6tables off
 
  edited
  OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
  # Configuration file for system-config-firewall
  --disabled
  --service=ssh
 
  OPGX280 ~ :( # cat  /etc/selinux/config
  SELINUX=disabled
 
  OPGX280 ~ :( # chkconfig |grep ip
  ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
  iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
  ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
 
  Yet - when I reboot  iptables gets started  - if I run
 
  OPGX280 ~ # /etc/rc.d/init.d/iptables status
  Table: filter
  Chain INPUT (policy ACCEPT)
  num  target prot opt source   destination
  1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
  dpt:53
  2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
  dpt:53
  3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp
  dpt:67
  4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp
  dpt:67
 
  Chain FORWARD (policy ACCEPT)
  num  target prot opt source   destination
  1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
  RELATED,ESTABLISHED
  2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
  3ACCEPT all  --  0.0.0.0/00.0.0.0/0
  4REJECT all  --  0.0.0.0/00.0.0.0/0
  reject-with icmp-port-unreachable
  5REJECT all  --  0.0.0.0/00.0.0.0/0
  reject-with icmp-port-unreachable
 
 
  Note --  

Re: [CentOS] Firewall will not disable - stumped!

[Alexander Dalloz]

Am 07.07.2013 14:57, schrieb Bob Metelsky:
 very perplexed here - I need to turn off iptables. Ive tried

Why do you have to turn off the local firewall?

 service iptables save
 service iptables stop
 chkconfig iptables off
 
 service ip6tables save
 service ip6tables stop
 chkconfig ip6tables off
 
 edited
 OPGX280 ~ # cat  /etc/sysconfig/system-config-firewall
 # Configuration file for system-config-firewall
 --disabled
 --service=ssh
 
 OPGX280 ~ :( # cat  /etc/selinux/config
 SELINUX=disabled

Bad practice.

 OPGX280 ~ :( # chkconfig |grep ip
 ip6tables   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipmievd 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipsec   0:off   1:off   2:off   3:off   4:off   5:off   6:off
 iptables0:off   1:off   2:off   3:off   4:off   5:off   6:off
 ipvsadm 0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
 
 Yet - when I reboot  iptables gets started  - if I run
 
 OPGX280 ~ # /etc/rc.d/init.d/iptables status
 Table: filter
 Chain INPUT (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:53
 2ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:53
 3ACCEPT udp  --  0.0.0.0/00.0.0.0/0   udp dpt:67
 4ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   tcp dpt:67
 
 Chain FORWARD (policy ACCEPT)
 num  target prot opt source   destination
 1ACCEPT all  --  0.0.0.0/0192.168.122.0/24state
 RELATED,ESTABLISHED
 2ACCEPT all  --  192.168.122.0/24 0.0.0.0/0
 3ACCEPT all  --  0.0.0.0/00.0.0.0/0
 4REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 5REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-port-unreachable
 
 
 Note --  192.168.122.0/24 is NOT my network, I just want the status to
 tell me iptables is NOT running

That's a VMware (ESXi or such) based virtual machine, right?
192.168.122.0/24 is the default VMware NAT network assignment. It comes
from the VMware tools. These tools take care that a NAT network setup
will work.

 What else can I look for??
 
 Thanks
 Bob

Alexander

P.S. If you reply then please follow the general rule to not top-post
and to trim your quotes. Thanks.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Markus Falb]

On 07.Jul.2013, at 14:57, Bob Metelsky wrote:

 very perplexed here - I need to turn off iptables. Ive tried
 …
 Yet - when I reboot  iptables gets started  - if I run
 ...
 Note --  192.168.122.0/24 is NOT my network

This could be the default network from libvirt. The kvm host does NAT from that 
network if the guest is configured to use it. You can undefine it with some 
virsh foo

$ virsh net-destroy default
$ virsh net-undefine default
-- 
Markus Falb

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firewall will not disable - stumped!

[Bob Metelsky]

On Sun, Jul 7, 2013 at 9:38 AM, Alexander Dalloz ad+li...@uni-x.org wrote:

 Am 07.07.2013 14:57, schrieb Bob Metelsky:
  very perplexed here - I need to turn off iptables. Ive tried

 Why do you have to turn off the local firewall?

 
  OPGX280 ~ :( # cat  /etc/selinux/config
  SELINUX=disabled

 Bad practice.


 Alexander

 P.S. If you reply then please follow the general rule to not top-post
 and to trim your quotes. Thanks.




I appreciate the admonitions on bad practices - but for now I need to
understand why something is happening and stop it


OPGX280 ~ # yum remove virt*


 Package ArchVersion  Repository
Size

Removing:
 virt-manageri6860.9.0-18.el6 @base
5.4 M
 virt-topi6861.0.4-3.15.el6   @base
922 k
 virt-viewer i6860.5.2-18.el6_4.2 @updates
 751 k
 virt-what   i6861.11-1.2.el6 @base
 35 k

Transaction Summary

Remove4 Package(s)

Installed size: 7.1 M
Is this ok [y/N]: y
...
Removed:
  virt-manager.i686 0:0.9.0-18.el6  virt-top.i686 0:1.0.4-3.15.el6
  virt-viewer.i686 0:0.5.2-18.el6_4.2   virt-what.i686 0:1.11-1.2.el6

Complete!
OPGX280 ~ #

OPGX280 ~ :( # chkconfig|grep virt
libvirt-guests  0:off   1:off   2:off   3:off   4:off   5:off   6:off
libvirtd0:off   1:off   2:off   3:off   4:off   5:off   6:off

reboot


OK!!! Nice call on the virt*

 after reboot...

OPGX280 ~ # /etc/rc.d/init.d/iptables status
iptables: Firewall is not running.

My goodness I would have never guessed that an unneeded package  would have
caused that - THANK YOU!

Now I can move on to the work I need to do - Thank you again








___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, hadi motamedi wrote:

 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ? Or if Pspice for centos does not exist so we
 must search for 'Electronics circuit schematics editor and simulator
 for centos' ? If there any reference site that we can select centos
 application with respect to their functionality deffinition but not
 just the application name?

Stop googling for CentOS.  If you're looking for commercial packages, they'll
either claim to support Redhat or just linux, but they're very unlikely to
mention CentOS.

But this problem isn't linux specific.  How do you find matlab-like software
for windows?

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/20/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Wed, 20 Jul 2011, hadi motamedi wrote:

 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ? Or if Pspice for centos does not exist so we
 must search for 'Electronics circuit schematics editor and simulator
 for centos' ? If there any reference site that we can select centos
 application with respect to their functionality deffinition but not
 just the application name?

 Stop googling for CentOS.  If you're looking for commercial packages,
 they'll
 either claim to support Redhat or just linux, but they're very unlikely to
 mention CentOS.

 But this problem isn't linux specific.  How do you find matlab-like software
 for windows?

 jh
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

You are right. But here, people use windows more than Linux. So
hearing about MATLAB for windows comes natural. I need to switch
completely to my centos so I need to do everything with my centos as I
did them on my windows. It sounds a little bit hard to find one-one
exact match between the application on windows and their equivalent on
centos. Isn't it ?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Keith Roberts]

On Wed, 20 Jul 2011, hadi motamedi wrote:

*snip*

 So you've installed Octave but it's not as powerful as MATLAB on windows.
 I know this is crazy talk, but have you tried MATLAB on CentOS?

 There is no one-to-one relationship between applications on one OS and on
 another.

Hi Hadi.

If you are looking for Electronics and EDA things, why not 
take a look at the FEL - Fedora Electronics Lab spin:

http://spins.fedoraproject.org/fel/#downloads

You can d/l the FEL Live CD iso from here:

http://archive.nl.eu.kernel.org/fedora-alt/spins/linux/releases/14/Spins/i686/

HTH

Keith Roberts

-
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, hadi motamedi wrote:

 You are right. But here, people use windows more than Linux. So
 hearing about MATLAB for windows comes natural. I need to switch
 completely to my centos so I need to do everything with my centos as I
 did them on my windows. It sounds a little bit hard to find one-one
 exact match between the application on windows and their equivalent on
 centos. Isn't it ?

In the case of matlab it's very easy: matlab.

In the case of other specialist software, the point is every bit of software
is different.  If you know an exact bit of software meets your needs, you are
the person best placed to know why.  The rest of it is a case of searching
google/yum/freshmeat using your domain specific knowledge as to exactly what
you need.

It would be exactly the same ball game if you were switching to using an
Apple, or indeed if Mathworks stopped selling matlab on windows.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Marko Vojinovic]

On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ?

MATLAB stands for *matrix* laboratory, not mathematics. See

http://en.wikipedia.org/wiki/MATLAB

Searching for MATLAB on CentOS is too naive. Rather, you just want to keep in 
mind that CentOS is binary-compatibile with RHEL, go to the MATLAB website and 
find out that there is a supported version for RHEL:

http://www.mathworks.com/support/sysreq/current_release/linux.html

It costs about 2000 USD for a basic standalone installation (btw, the price is 
the same for Linux, Windows and Mac).

The functionality of MATLAB for CentOS is completely equivalent to the one on 
Windows. There is no alternative (free or otherwise) version which will 
provide equivalent functionality. That said, there are alternative apps which 
are equivalently powerful, but there are always differences.

HTH, :-)
Marko

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[m . roth]

Marko Vojinovic wrote:
 On Wednesday 20 July 2011 05:07:23 hadi motamedi wrote:
 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ?

 MATLAB stands for *matrix* laboratory, not mathematics. See

 http://en.wikipedia.org/wiki/MATLAB

 Searching for MATLAB on CentOS is too naive. Rather, you just want to keep
 in mind that CentOS is binary-compatibile with RHEL, go to the MATLAB
snip
I'll guarantee that it runs just fine under CentOS. We have several
installs running.

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Les Mikesell wrote:
 The biggest searchable, up to date collection of open source software project 
 descriptions is probably http://freshmeat.net, but once you locate an 
 interesting project you might want to see if you can find an RPM-packaged 
 version at EPEL, rpmforge, etc. for easy installation and updates instead of 
 trying to build from source yourself.

I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for 
CentOS 6.

Link for Fedora 5 package:
http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[m . roth]

Ljubomir Ljubojevic wrote:
 Les Mikesell wrote:
snip
 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.
snip
Couple problems: first, it *is* COTS, and if you live in a country that
cares, you could be in steep legal trouble. Second, MATLAB uses a license
server; if you don't have a license, you can't use it.

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:

 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.

Valid.

 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

 Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for
 CentOS 6.

 Link for Fedora 5 package:
 http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/

Not in any way sensible, so don't go anywhere near this.

This just looks like an indexed internal directory at a university full of
packages you're really unlikely to want to install.  It's old commercial
software that won't work without a license.  Matlab installs just fine on
CentOS from the direct download from Mathworks.  Packaging it up is also
trivial.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

John Hodrien wrote:
 On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:
 
 I use http://rpm.pbone.net/ to search for CentOS/RHEL and Fedora packages.
 
 Valid.
 
 It says that there is matlab 7.4.0 rpm for Fedora 5 and 10-15.

 Fedora 5 version should be good for CentOS 5 , and Fedora 12 package for
 CentOS 6.

 Link for Fedora 5 package:
 http://apt.unl.edu/apt/fedora/redhat/5/i386/unl/RPMS/
 
 Not in any way sensible, so don't go anywhere near this.
 
 This just looks like an indexed internal directory at a university full of
 packages you're really unlikely to want to install.  It's old commercial
 software that won't work without a license.  Matlab installs just fine on
 CentOS from the direct download from Mathworks.  Packaging it up is also
 trivial.
 

OK.

If it needs license, what would be the harm if you install (newer) 
version from rpm? Their source RPM is actually nosrc.rpm so they just 
package  it for easier install. I was assuming this when I suggested the 
packages.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Wed, 20 Jul 2011, Ljubomir Ljubojevic wrote:

 OK.

 If it needs license, what would be the harm if you install (newer)
 version from rpm? Their source RPM is actually nosrc.rpm so they just
 package  it for easier install. I was assuming this when I suggested the
 packages.

What I meant was, those were old RPMs.  You'd buy a license and either install
using the installer, or package up your own RPM.  You wouldn't go near those.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Sun, 17 Jul 2011, Always Learning wrote:

 If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
 ports. Allocate a different IP address (if you have several) and use a
 non-web IP address for SSH and a different non-web IP address for
 phpmyadmin etc. WITH non-standard ports (you can go as high as about
 64000). Also consider ONLY allowing access from predefined static IP
 addresses (under your control). Do not make it easy for the hackers.
 Give them a difficult time.

Running on non-default ports (especially high numbered ports) always strikes
me as the wrong way of doing things.  You've come out of the admin shelter of
low ports meaning you're now vulnerable to local attacks - if I can make ftp
(one of your examples) crash, I can potentially steal its port and run my own
ftp server, stealing everyone's password if I have a local account.  At the
same time, you're still vulnerable to plenty of scanning attacks.

If you want accessible services to be accessible, I say make them accessible,
and secure that service as much as you reasonably can.

If you want to restrict access to make it more secure, put them behind a VPN
or other protection.  That way you *really* get the security benefit that you
wanted in the first place.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/19/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Sun, 17 Jul 2011, Always Learning wrote:

 If using SSH, FTP, phpmyadmin etc. etc. then DO NOT use the standard
 ports. Allocate a different IP address (if you have several) and use a
 non-web IP address for SSH and a different non-web IP address for
 phpmyadmin etc. WITH non-standard ports (you can go as high as about
 64000). Also consider ONLY allowing access from predefined static IP
 addresses (under your control). Do not make it easy for the hackers.
 Give them a difficult time.

 Running on non-default ports (especially high numbered ports) always strikes
 me as the wrong way of doing things.  You've come out of the admin shelter
 of
 low ports meaning you're now vulnerable to local attacks - if I can make ftp
 (one of your examples) crash, I can potentially steal its port and run my
 own
 ftp server, stealing everyone's password if I have a local account.  At the
 same time, you're still vulnerable to plenty of scanning attacks.

 If you want accessible services to be accessible, I say make them
 accessible,
 and secure that service as much as you reasonably can.

 If you want to restrict access to make it more secure, put them behind a VPN
 or other protection.  That way you *really* get the security benefit that
 you
 wanted in the first place.

 jh
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Dear All
With respect to the references you gave me, I figured out to add the
following line to my /etc/sysconfig/iptables :
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
Then I issued:
#service iptables restart
And now the windows machine can browse valid url . Thank you for your help.
I want to put more stuff on my centos 5.6 machine. To this end, I
installed ultraedit, octave, gschem,shorewall on my centos 5.6
machine. But I don't see one-to-one relationship between these
applications and the ones I have on my windows machine. For example,
the octave does not have  the same power as MATLAB on windows machine
or Pspice on windows is more powerful than the the one I have on my
centos. Can you please let me know where powerful centos stuffs for
various purposes can be selected and installed from the internet?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Hodrien]

On Tue, 19 Jul 2011, hadi motamedi wrote:

 Dear All
 With respect to the references you gave me, I figured out to add the
 following line to my /etc/sysconfig/iptables :
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
 Then I issued:
 #service iptables restart
 And now the windows machine can browse valid url . Thank you for your help.
 I want to put more stuff on my centos 5.6 machine. To this end, I
 installed ultraedit, octave, gschem,shorewall on my centos 5.6
 machine. But I don't see one-to-one relationship between these
 applications and the ones I have on my windows machine. For example,
 the octave does not have  the same power as MATLAB on windows machine
 or Pspice on windows is more powerful than the the one I have on my
 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

So you've installed Octave but it's not as powerful as MATLAB on windows.
I know this is crazy talk, but have you tried MATLAB on CentOS?

There is no one-to-one relationship between applications on one OS and on
another.

Keep googling.

jh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John Doe]

From: hadi motamedi motamed...@gmail.com

 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

Hum... powerful stuff for various purposes is usually mysterious secret 
knowledge handed from masters to disciples...
Do you think you could handle such powerful stuff...?!?

JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/19/11, John Doe jd...@yahoo.com wrote:
 From: hadi motamedi motamed...@gmail.com

 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

 Hum... powerful stuff for various purposes is usually mysterious secret
 knowledge handed from masters to disciples...
 Do you think you could handle such powerful stuff...?!?

 JD
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Sorry for not being specific in the question. I mean engineering
centos stuff with one-to-one relationship for windows ones like Visual
C , MATLAB , Pspice , etc. ?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/19/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
 On Tue, 19 Jul 2011, hadi motamedi wrote:

 Dear All
 With respect to the references you gave me, I figured out to add the
 following line to my /etc/sysconfig/iptables :
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
 Then I issued:
 #service iptables restart
 And now the windows machine can browse valid url . Thank you for your
 help.
 I want to put more stuff on my centos 5.6 machine. To this end, I
 installed ultraedit, octave, gschem,shorewall on my centos 5.6
 machine. But I don't see one-to-one relationship between these
 applications and the ones I have on my windows machine. For example,
 the octave does not have  the same power as MATLAB on windows machine
 or Pspice on windows is more powerful than the the one I have on my
 centos. Can you please let me know where powerful centos stuffs for
 various purposes can be selected and installed from the internet?

 So you've installed Octave but it's not as powerful as MATLAB on windows.
 I know this is crazy talk, but have you tried MATLAB on CentOS?

 There is no one-to-one relationship between applications on one OS and on
 another.

 Keep googling.

 jh
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

If we cannot find the exact application name for centos, say MATLAB
for centos does not exist, so we must search for 'Mathematics
laboratory for centos' ? Or if Pspice for centos does not exist so we
must search for 'Electronics circuit schematics editor and simulator
for centos' ? If there any reference site that we can select centos
application with respect to their functionality deffinition but not
just the application name?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Les Mikesell]

On 7/19/11 11:07 PM, hadi motamedi wrote:

 If we cannot find the exact application name for centos, say MATLAB
 for centos does not exist, so we must search for 'Mathematics
 laboratory for centos' ? Or if Pspice for centos does not exist so we
 must search for 'Electronics circuit schematics editor and simulator
 for centos' ? If there any reference site that we can select centos
 application with respect to their functionality deffinition but not
 just the application name?

Not very much software is Centos-specific, but anything that runs on Red Hat 
Enterprise versions should work on the corresponding Centos version, including 
the things in third party 'EL' rpm repositories and commercial products (like 
Matlab...).

The biggest searchable, up to date collection of open source software project 
descriptions is probably http://freshmeat.net, but once you locate an 
interesting project you might want to see if you can find an RPM-packaged 
version at EPEL, rpmforge, etc. for easy installation and updates instead of 
trying to build from source yourself.

And you might like 'R' as an alternative to octave or matlab.

-- 
   Les Mikesell
lesmikes...@gmail.com



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Bob Hepple]

On Wed, 20 Jul 2011 08:37:23 +0430
hadi motamedi motamed...@gmail.com wrote:

 On 7/19/11, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
  On Tue, 19 Jul 2011, hadi motamedi wrote:
 
  centos. Can you please let me know where powerful centos stuffs for
  various purposes can be selected and installed from the internet?

I find http://alternativeto.net/ useful now and then ...


-- 
Bob Hepple bhep...@promptu.com
ph: 07-5584-5908 Fx: 07-5575-9550
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Arun Khan]

On Mon, Jul 18, 2011 at 11:12 AM, hadi motamedi motamed...@gmail.com wrote:
 
 Thank you for your help. I learned a lot from your post that enabled
 me to share Internet connection on my centos 5.6 machine. At now , the
 windows machine is behind the centos firewall and it can even ping
 192.9.9.3 but just cannot resolve the url (even with DNS set for it).
 I just need to know how to give it Internet service?

search for keywords linux routing  and linux ip forwarding  and
you will find umpteen sites with answers to your problem.

As suggested by others,  budget a cheap NIC and keep Internet and LAN
on two separate physical NICs.   That would be the minimum best
practice.

Another piece of advice.  Follow the RERERE [1]  method to learn Linux
administration.   By the third you will get it right (that has been my
experience).

Visit www.tldp.org.   You will find several full length books on
Linux system/network admin as well how tos  Pick the one that meets
your scenario, read the material and experiment.   That is the best
way to learn.BTW you can do this by installing VirtualBox either
in Linux or Windows.  With VBox you can setup small networks, all in a
virtual environment.   You can experiment and learn from them.  VBox
is well documented.

For Linux networking,  the book by Olaf Kirch and Terry Dawson [2]  is
a classic.   CentOS/RHEL docs are also very comprehensive with theory
and examples.

When you get stuck on any implementation then ask specific questions -
I tried this blah blah found it in this xyz reference  and I am
stuck on this point.

From your posts it does not look like you have tried to do any
research.The culture in FOSS mailing lists/forums  is to help
those who try to help themselves; otherwise opt for commercial
support.

[1] Read Experiment 
[2] http://www.tldp.org/LDP/nag2/nag2.pdf

-- 
Arun Khan
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Always Learning]

On Sun, 2011-07-17 at 22:17 -0700, Cody Jackson wrote:

 On 7/17/11, hadi motamedi motamed...@gmail.com wrote:
  Thank you very much for your reply. Can you please let me know what is
  the centos mailing list for basic users like me?

 This one is great:
 
 https://google.com

Which option do you suggest ?  'Google Search' or 'I'll Feeling Lucky' ?


-- 
With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Keith Roberts wrote:
 On Sat, 16 Jul 2011, Keith Roberts wrote:
 
 To: CentOS mailing list centos@centos.org
 From: Keith Roberts ke...@karsites.net
 Subject: Re: [CentOS] firewall?

 On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:

 *snip*

  I wrote about physical presence *outside* of your network, like if
  you
  are on a large WISP that uses bridged network (bad design) and your
  Wireless client is bridged, and you have single NIC firewall in place,
  entire WISP's network will be able to sniff your traffic and hack into
  unprotected workstations/desktops. And there are those scenarios, much
  more then you can think.
 Which is why one poster mentioned that you need to be familiar with 
 IPtables and Networking before trying to make your machine(s) network(s) 
 secure?

 I read some time ago something about tunneling different protocols 
 through firewalls? which sounded quite scary.
 
 This is what I was refering to:
 
 Data Driven Attacks Using HTTP Tunneling
 
 ... HTTP Tunneling Example
 
 HTTP tunneling can be used to access ports that are 
 normally inaccessible from a network. Consider Figure 1 
 below. The attacker's host is shown on the left with the 
 target systems on the right. The router at the edge has the 
 following policies:
 
 http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunneling
 
 Sounds a bit scary to me, as any website needs to have port 
 80 open to allow access to that website.
 

That example is based on the premise that attacker will exploit existing 
security bug/hole to gain access to the system. And they refer in that 
article to IIS (Micro$oft Web server, with holes like swiss cheese).

If you check the frequency of Apache (httpd) security bugs on CentOS 
5.x, I think you will see several Denial Of Service bugs, but only one 
or two that would allow code execution. And bug reports for Apache are 
made to secure mailing list so rest of the world is not aware of them 
until they are already fixed.

So I would not be overly concerned about HTTP tunneling attacks.

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Always Learning wrote:
 On Sat, 2011-07-16 at 13:25 +0200, Rudi Ahlers wrote:
 
 But, sadly google can't teach someone to start making their own
 choices or to think for themselves
 
 Learning Linux/Centos on one's own, and without good text books, is a
 very daunting task even for those with over 40 years computer
 programming experience. I describe it as a steep learning curve but, as
 usual, I succeeded. Others may be confused and lack the background
 knowledge to put 'strange' things in context or to make sense of what
 seems illogical.

That was not directed to people wanting to learn something, but to the 
drones wanting everything chewed up. Asking specific question was 
never a problem to respond to and educate for the most people.

I don't think I have been on a forums or mailing list that refused to 
point someone in the right direction. Give a man a fish, you have fed 
him for today.  Teach a man to fish, and you have fed him for a 
lifetime most people use as a moto. But there are always those who want 
it all served on the silver platter.

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Keith Roberts]

On Sun, 17 Jul 2011, Ljubomir Ljubojevic wrote:

*snip*

 I read some time ago something about tunneling different protocols
 through firewalls? which sounded quite scary.

 This is what I was refering to:

 Data Driven Attacks Using HTTP Tunneling

 ... HTTP Tunneling Example

 HTTP tunneling can be used to access ports that are
 normally inaccessible from a network. Consider Figure 1
 below. The attacker's host is shown on the left with the
 target systems on the right. The router at the edge has the
 following policies:

 http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunneling

 Sounds a bit scary to me, as any website needs to have port
 80 open to allow access to that website.


 That example is based on the premise that attacker will exploit existing
 security bug/hole to gain access to the system. And they refer in that
 article to IIS (Micro$oft Web server, with holes like swiss cheese).

 If you check the frequency of Apache (httpd) security bugs on CentOS
 5.x, I think you will see several Denial Of Service bugs, but only one
 or two that would allow code execution. And bug reports for Apache are
 made to secure mailing list so rest of the world is not aware of them
 until they are already fixed.

 So I would not be overly concerned about HTTP tunneling attacks.

OK thanks for that advice Ljubomir.

Kind Regards,

Keith

-
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Always Learning]

On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:

 I don't think I have been on a forums or mailing list that refused to 
 point someone in the right direction. Give a man a fish, you have fed
 him for today.  Teach a man to fish, and you have fed him for a 
 lifetime most people use as a moto. But there are always those who
 want it all served on the silver platter.

I prefer gold platters :-)



-- 
With best regards,

Paul.
England,
EU.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Keith Roberts]

On Sun, 17 Jul 2011, Always Learning wrote:

 To: CentOS mailing list centos@centos.org
 From: Always Learning cen...@u6.u22.net
 Subject: Re: [CentOS] firewall?
 

 On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:

 I don't think I have been on a forums or mailing list that refused to
 point someone in the right direction. Give a man a fish, you have fed
 him for today.  Teach a man to fish, and you have fed him for a
 lifetime most people use as a moto. But there are always those who
 want it all served on the silver platter.

 I prefer gold platters :-)

Yes, me too. Preferably studded with Rubies, Diamonds and 
Emeralds!

Keith

-
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Keith Roberts wrote:
 On Sun, 2011-07-17 at 10:37 +0200, Ljubomir Ljubojevic wrote:

 I don't think I have been on a forums or mailing list that refused to
 point someone in the right direction. Give a man a fish, you have fed
 him for today.  Teach a man to fish, and you have fed him for a
 lifetime most people use as a moto. But there are always those who
 want it all served on the silver platter.
 I prefer gold platters :-)
 
 Yes, me too. Preferably studded with Rubies, Diamonds and 
 Emeralds!
 
I am more interested on the food on the platter. True open source geek, 
I know ;-)

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John R Pierce]

On 07/17/11 1:24 AM, Ljubomir Ljubojevic wrote:
 If you check the frequency of Apache (httpd) security bugs on CentOS
 5.x, I think you will see several Denial Of Service bugs, but only one
 or two that would allow code execution. And bug reports for Apache are
 made to secure mailing list so rest of the world is not aware of them
 until they are already fixed.

 So I would not be overly concerned about HTTP tunneling attacks.

most successful exploits of 'nix web servers involve poorly implemented 
user code, such as exploitable PHP, perl cgi, etc, things that allow sql 
insertion attacks, etc etc.

http://xkcd.com/327/



-- 
john r pierceN 37, W 122
santa cruz ca mid-left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/16/11, Fajar Priyanto fajar...@arinet.org wrote:
 Do this:
 1. Make sure your Centos has two network card. One connected to
 internet, one to local lan. Make sure the Centos can already browsing
 internet.
 Example internet: eth0 192.168.1.1
 local: eth1 192.168.2.1

 2. Activate ip forwarding in /etc/sysconfig/sysctl.conf
 net.ipv4.ip_forward = 1

 Run sysctl -r to reload the new setting

 3. Type this iptables command to share internet:
 iptables ­-t nat -­A POSTROUTING ­-o eth0 -­j MASQUERADE

 4. Set your windows box to use 192.168.2.1 as it's default gateway.
 Don't forget to give it DNS too like 8.8.8.8

 5. I'd suggest you join your Linux Local User Group to have more help.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Thank you very much for your help. At now, I have put my windows
machine behind my centos 5.6 firewall server with just one NIC. The
windows machine can ping 192.9.9.3 but it cannot browse Internet like
connecting to google. I have set its DNS too. Can you please let me
know what step is missing?
Thank you
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John R. Dennison]

On Mon, Jul 18, 2011 at 12:24:02AM -0400, hadi motamedi wrote:

 Thank you very much for your help. At now, I have put my windows
 machine behind my centos 5.6 firewall server with just one NIC. The
 windows machine can ping 192.9.9.3 but it cannot browse Internet like
 connecting to google. I have set its DNS too. Can you please let me
 know what step is missing?

No.

It's about time you started doing something on your own.

Either learn how to manage your own systems or those that you are being
paid to manage or going to school to manage or pay someone competent to
do it for you.

Stop misusing this list.  We are not here to solve your issues.

If you want to consider private consultation please contact me off list
for my rates and payment methods.  I'm sure there are any number of
other list members that would also be willing to do solve your problems
at their normal per diem rates as well.

Note to everyone else:  STOP spoon-feeding him.




John
-- 
There are men -- now in power in this country -- who do not respect
dissent, who cannot cope with turmoil, and who believe that the people of
America are ready to support repression as long as it is done with a quiet
voice and a business suit.

John V. Lindsay (1921-2000), US politician, Congressman, Mayor of New York City


pgpiYet2NIEaz.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/18/11, John R. Dennison j...@gerdesas.com wrote:
 On Mon, Jul 18, 2011 at 12:24:02AM -0400, hadi motamedi wrote:

 Thank you very much for your help. At now, I have put my windows
 machine behind my centos 5.6 firewall server with just one NIC. The
 windows machine can ping 192.9.9.3 but it cannot browse Internet like
 connecting to google. I have set its DNS too. Can you please let me
 know what step is missing?

 No.

 It's about time you started doing something on your own.

 Either learn how to manage your own systems or those that you are being
 paid to manage or going to school to manage or pay someone competent to
 do it for you.

 Stop misusing this list.  We are not here to solve your issues.

 If you want to consider private consultation please contact me off list
 for my rates and payment methods.  I'm sure there are any number of
 other list members that would also be willing to do solve your problems
 at their normal per diem rates as well.

 Note to everyone else:  STOP spoon-feeding him.




   John
 --
 There are men -- now in power in this country -- who do not respect
 dissent, who cannot cope with turmoil, and who believe that the people of
 America are ready to support repression as long as it is done with a quiet
 voice and a business suit.

 John V. Lindsay (1921-2000), US politician, Congressman, Mayor of New York
 City

Thank you very much for your reply. Can you please let me know what is
the centos mailing list for basic users like me?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Cody Jackson]

On 7/17/11, hadi motamedi motamed...@gmail.com wrote:
 Thank you very much for your reply. Can you please let me know what is
 the centos mailing list for basic users like me?

This one is great:

https://google.com

Cody Jackson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Christopher Chan]

On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:

 Thank you very much for your reply. Can you please let me know what is
 the centos mailing list for basic users like me?

Try ubuntu-us...@lists.ubuntu.com

They always have spoon and milk powder ready and then some.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/18/11, Christopher Chan christopher.c...@bradbury.edu.hk wrote:
 On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:

 Thank you very much for your reply. Can you please let me know what is
 the centos mailing list for basic users like me?

 Try ubuntu-us...@lists.ubuntu.com

 They always have spoon and milk powder ready and then some.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

It is very hard for me to miss technical support from you gentlemen
and centos experts. Please let me to just listen to the list.
Thank you again
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Christopher Chan]

On Monday, July 18, 2011 01:30 PM, hadi motamedi wrote:
 On 7/18/11, Christopher Chanchristopher.c...@bradbury.edu.hk  wrote:
 On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:

 Thank you very much for your reply. Can you please let me know what is
 the centos mailing list for basic users like me?

 Try ubuntu-us...@lists.ubuntu.com

 They always have spoon and milk powder ready and then some.

 It is very hard for me to miss technical support from you gentlemen
 and centos experts. Please let me to just listen to the list.
 Thank you again


Why don't you just buy a book, read it, experiment on a spare computer? 
You can listen all you like but it will do you squat unless you actually 
try and think about why you have been given a certain command or piece 
of advice. It will forever be just 'theory'.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/18/11, Christopher Chan christopher.c...@bradbury.edu.hk wrote:
 On Monday, July 18, 2011 01:30 PM, hadi motamedi wrote:
 On 7/18/11, Christopher Chanchristopher.c...@bradbury.edu.hk  wrote:
 On Monday, July 18, 2011 01:14 PM, hadi motamedi wrote:

 Thank you very much for your reply. Can you please let me know what is
 the centos mailing list for basic users like me?

 Try ubuntu-us...@lists.ubuntu.com

 They always have spoon and milk powder ready and then some.

 It is very hard for me to miss technical support from you gentlemen
 and centos experts. Please let me to just listen to the list.
 Thank you again


 Why don't you just buy a book, read it, experiment on a spare computer?
 You can listen all you like but it will do you squat unless you actually
 try and think about why you have been given a certain command or piece
 of advice. It will forever be just 'theory'.
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

Thank you for your help. I learned a lot from your post that enabled
me to share Internet connection on my centos 5.6 machine. At now , the
windows machine is behind the centos firewall and it can even ping
192.9.9.3 but just cannot resolve the url (even with DNS set for it).
I just need to know how to give it Internet service?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[SZ Quadri]

You can use pretty standard tools:- iptables etc. You just need a minimum
sever install with maybe some web based GUI to manage the box from other
machines. You can have a look at webmin (www.webmin.com) which offers nice
web interface and is popular in hosting industry as free admin web ui.

- SZQ

On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamed...@gmail.comwrote:

 Dear All
 I need to put my centos 5.6 server as firewall server in fron of a
 windows-running node before connecting it to the net. Can you please
 let me know what stuff do I need to put on my centos server?
 Thank you
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[hadi motamedi]

On 7/16/11, SZ Quadri s...@quadri.in wrote:
 You can use pretty standard tools:- iptables etc. You just need a minimum
 sever install with maybe some web based GUI to manage the box from other
 machines. You can have a look at webmin (www.webmin.com) which offers nice
 web interface and is popular in hosting industry as free admin web ui.

 - SZQ

 On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamed...@gmail.comwrote:

 Dear All
 I need to put my centos 5.6 server as firewall server in fron of a
 windows-running node before connecting it to the net. Can you please
 let me know what stuff do I need to put on my centos server?
 Thank you
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


Thank you for your help. I tried to get it as 'yum install webadmin*'
but unsuccessful. Can you please confirm if the spelling is correct?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Fajar Priyanto]

Do this:
1. Make sure your Centos has two network card. One connected to
internet, one to local lan. Make sure the Centos can already browsing
internet.
Example internet: eth0 192.168.1.1
local: eth1 192.168.2.1

2. Activate ip forwarding in /etc/sysconfig/sysctl.conf
net.ipv4.ip_forward = 1

Run sysctl -r to reload the new setting

3. Type this iptables command to share internet:
iptables ­-t nat -­A POSTROUTING ­-o eth0 -­j MASQUERADE

4. Set your windows box to use 192.168.2.1 as it's default gateway.
Don't forget to give it DNS too like 8.8.8.8

5. I'd suggest you join your Linux Local User Group to have more help.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John R. Dennison]

On Sat, Jul 16, 2011 at 02:56:59PM +0430, hadi motamedi wrote:
 Thank you for your help. I tried to get it as 'yum install webadmin*'
 but unsuccessful. Can you please confirm if the spelling is correct?

Are we really going to go down this beaten path yet again?  Have you
learned nothing during your hiatus from this list?  Have you learned
nothing from your past history on this list?  This is an enterprise
distribution, some thinking really is required.  And this doesn't mean
others doing the thinking for you.

Can you at least _try_ to be self-reliant?  Can you at least _try_ and
use google and other resources that you've been pointed to in the past?

Can you please _try_ to not ask this list to do your job for you?  If
you have specific questions after showing that you've done at least a
modicum of research on your own is one thing; being fully reliant on the
volunteers on this list is another.  

At least _try_.





John
-- 
Spring is nature's way of saying, Let's party!

-- Robin Williams (1952-), American actor and comedian


pgplv9BoQGdcY.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Fajar Priyanto]

On Sat, Jul 16, 2011 at 7:11 PM, Fajar Priyanto fajar...@arinet.org wrote:
 2. Activate ip forwarding in /etc/sysconfig/sysctl.conf
 net.ipv4.ip_forward = 1

 Run sysctl -r to reload the new setting


typo: should be sysctl -p
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Fajar Priyanto]

On Sat, Jul 16, 2011 at 7:12 PM, John R. Dennison j...@gerdesas.com wrote:
 Can you at least _try_ to be self-reliant?  Can you at least _try_ and
 use google and other resources that you've been pointed to in the past?

 Can you please _try_ to not ask this list to do your job for you?  If
 you have specific questions after showing that you've done at least a
 modicum of research on your own is one thing; being fully reliant on the
 volunteers on this list is another.

Yeah, some like to find the easiest the shortest the least effort way :)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

hadi motamedi wrote:
 Dear All
 I need to put my centos 5.6 server as firewall server in fron of a
 windows-running node before connecting it to the net. Can you please
 let me know what stuff do I need to put on my centos server?
 Thank you
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
You might be interested in shorewall[1]. It has config file and 
extensive documentation. You tell it what you want and all iptables are 
automatically set. It also has webmin module. There are rpm's for CentOS 
  5 but I think they would be OK also on the CentOS 6.

[1]: http://www.shorewall.net/

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[John R. Dennison]

On Sat, Jul 16, 2011 at 07:14:09PM +0800, Fajar Priyanto wrote:
 
 Yeah, some like to find the easiest the shortest the least effort way :)

There is a history of Hadi misusing this list; this is by no means the
first time.





John
-- 
Much of what looks like rudeness in hacker circles is not intended to give
offense. Rather, it's the product of the direct, cut-through-the-bullshit
communications style that is natural to people who are more concerned about
solving problems than making others feel warm and fuzzy.

http://www.tuxedo.org/~esr/faqs/smart-questions.html


pgp8isI44mZOH.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Fajar Priyanto]

On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic off...@plnet.rs wrote:
 You might be interested in shorewall[1]. It has config file and
 extensive documentation. You tell it what you want and all iptables are
 automatically set. It also has webmin module. There are rpm's for CentOS
  5 but I think they would be OK also on the CentOS 6.

 [1]: http://www.shorewall.net/

Hadi,
With all the suggestions, I believe it's enough to get you going.
iptables, shorewall, webmin.

All you have got to do know is to google around using those keywords,
and start learning by yourself.
Google has everything.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[B.J. McClure]

On Sat, 2011-07-16 at 14:56 +0430, hadi motamedi wrote:

snip

 
 Thank you for your help. I tried to get it as 'yum install webadmin*'
 but unsuccessful. Can you please confirm if the spelling is correct?

Google is your friend.  A simple search would have revealed:

http://www.webmin.com/download.html 


B.J.

CentOS Linux release 6.0 (Final)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Fajar Priyanto wrote:
 On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic off...@plnet.rs wrote:
 You might be interested in shorewall[1]. It has config file and
 extensive documentation. You tell it what you want and all iptables are
 automatically set. It also has webmin module. There are rpm's for CentOS
  5 but I think they would be OK also on the CentOS 6.

 [1]: http://www.shorewall.net/
 
 Hadi,
 With all the suggestions, I believe it's enough to get you going.
 iptables, shorewall, webmin.
 
 All you have got to do know is to google around using those keywords,
 and start learning by yourself.
 Google has everything.

I agree. No more free ride...

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Rudi Ahlers]

On Sat, Jul 16, 2011 at 1:18 PM, Fajar Priyanto fajar...@arinet.org wrote:
 On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic off...@plnet.rs wrote:
 You might be interested in shorewall[1]. It has config file and
 extensive documentation. You tell it what you want and all iptables are
 automatically set. It also has webmin module. There are rpm's for CentOS
  5 but I think they would be OK also on the CentOS 6.

 [1]: http://www.shorewall.net/

 Hadi,
 With all the suggestions, I believe it's enough to get you going.
 iptables, shorewall, webmin.

 All you have got to do know is to google around using those keywords,
 and start learning by yourself.
 Google has everything.
 ___



But, sadly google can't teach someone to start making their own
choices or to think for themselves


-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

hadi motamedi wrote:
 On 7/16/11, SZ Quadri s...@quadri.in wrote:
 You can use pretty standard tools:- iptables etc. You just need a minimum
 sever install with maybe some web based GUI to manage the box from other
 machines. You can have a look at webmin (www.webmin.com) which offers nice
 web interface and is popular in hosting industry as free admin web ui.

 - SZQ

 On Sat, Jul 16, 2011 at 10:03 AM, hadi motamedi motamed...@gmail.comwrote:

 Dear All
 I need to put my centos 5.6 server as firewall server in fron of a
 windows-running node before connecting it to the net. Can you please
 let me know what stuff do I need to put on my centos server?
 Thank you
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 Thank you for your help. I tried to get it as 'yum install webadmin*'
 but unsuccessful. Can you please confirm if the spelling is correct?
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
 
 
It is webmin, and it is not part of base repository. Visit 
http://www.webmin.com, read about it and then download it by clicking on 
the Rpm link on the right. There is installation procedure explained 
on the web site

Note: Read carefully so you know what and how things are done, and 
install only the rpm version.

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[Ljubomir Ljubojevic]

Rudi Ahlers wrote:
 On Sat, Jul 16, 2011 at 1:18 PM, Fajar Priyanto fajar...@arinet.org wrote:
 On Sat, Jul 16, 2011 at 6:47 PM, Ljubomir Ljubojevic off...@plnet.rs wrote:
 You might be interested in shorewall[1]. It has config file and
 extensive documentation. You tell it what you want and all iptables are
 automatically set. It also has webmin module. There are rpm's for CentOS
  5 but I think they would be OK also on the CentOS 6.

 [1]: http://www.shorewall.net/
 Hadi,
 With all the suggestions, I believe it's enough to get you going.
 iptables, shorewall, webmin.

 All you have got to do know is to google around using those keywords,
 and start learning by yourself.
 Google has everything.
 ___
 
 
 
 But, sadly google can't teach someone to start making their own
 choices or to think for themselves
 
There was some commenting on the Kaspersky facebook page where they 
wrote about recent hacking and theft of the data of some US Government 
contractor, and Kaspersky admin half jocked that they should have used 
their product.
One excellent comment was:
Does that include Common Sense Internet Security 2012?.
And it is SO true...

Ljubomir
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewall?

[William Warren]

On 7/16/2011 12:33 AM, hadi motamedi wrote:
 Dear All
 I need to put my centos 5.6 server as firewall server in fron of a
 windows-running node before connecting it to the net. Can you please
 let me know what stuff do I need to put on my centos server?
 Thank you
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos
I would sugget a dedicated firewall distro like untangle, pfsense, 
smoothwall,...etc etc etc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos