On Wed, 19 May 2010, j.witvl...@mindef.nl wrote: > Hi Jerry, > > Just a general remark. > When deploying a firewall, it is advisable to have (atleast for input, better > for all) to have the general policy set to drop, and only allow in what you > expect to be coming in. If you put a "-j log" line as a final line for each > section, you'll see every packet you forgot about... > > Now the default is "allow", and only doing some SNAT and DNAT rules... > > hw
And as a follow up remark, it would be advisable to have a network policy in place that will help to define your rules. For example within a university environment like mine, we allow everything in by default except those services for which we want to explicitly block. Those that we want to explicitly block are documented and we run tests to ensure that our firewall is working as expected on a regular basis. Define your "business rules" first and make your firewall rules follow suit. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director HPC Coordinator Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com TEAMWORK There's power in numbers. Learn to work together. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
