From: "Jochem van Dieten" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, February 04, 2004 2:32 PM
Subject: Re: OT-Firewall
> Mike Brunt wrote:
> > Eric, we use Tiny Firewall for this sort of requirement.
> >
> > http://www.tinysoftware.com/home/tiny2?la=EN
> >
> > Hth, I am sure Jochem will have some good recommendations on this also.
>
> I'm not sure if they are good, I could use some peer review ;-)
>
> My usual solution is to enable the built-in packetfilter and
> don't run anything else. Open port 80 for HTTP and optionally 21
> for FTP (active only), 443 for HTTPS, X for remote control
> software and leave the rest closed. UDP is a bit more tricky, DNS
> will fail because you are really using a client and the client
> runs on an ephemeral port (the server runs on 53). You should be
> able to get around this if you have a second NIC and your DNS
> server is on the local subnet, or else I just leave it unfiltered
> (it is filtered at the router here anyway.)
> After that, follow the instructions in the Microsoft TCP/IP
> whitepaper [1] to further harden your stack. There are also some
> templates available from the NSA.
>
> Overall I have not had any problems with such a configuration. It
> is also a great way to connect unpatched systems during installation.
It's better than nothing, but not very flexible. I have yet to figure out,
for instance, how to protect a box and still permit FTP out (for CFFTP).
If you can't use a good, dedicated hardware or *nix firewall, then I'll
second the nod for Tiny Firewall. Nice for standalone servers that you just
need to plug into a network. A server license is $79 from Tiny Software.
http://www.tinysoftware.com
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
