Derick-- We actually have a hardware firewall between our campus and the Internet, and a dedicated firewall device between the campus and the residence halls. This box is really only open to the academic buildings on campus.
The box you recommended looks nice for a residential firewall, but not for a firewall for a production server. Furthermore, it'd be silly to put those boxes on all of our machines, and putting a Cisco (etc.) hardware firewall between our data center and the academic portion of campus would not only be overkill, but would suffer the same drawback as iptables: static configuration. It would admittedly centralize the configuration, but I've already centralized my configs with Cfengine, and that cost a lot less than a fancy new firewall. :) Thanks for the suggestion, but I'm definitely looking to fix this with iptables. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Mon, 15 May 2006, Derick Centeno wrote: > Hi Chris: > > May I respectfully suggest a completely different approach? > > My reasoning for doing so follows this path: Maintaining a software firewall > can be extremely challenging. They can be tricked, hacked and of course there > are unintentional errors, even if one installs one or another piece of > software > -- say tripwire -- to watch it and any changes to your system for you. > > The alternative is to go to a hardwired firewall, plug it in and go about your > business dedicating your time to something else which absolutely requires your > attention. > This little device has done it's job over and time again (for me) and others > and maybe if you consider it, you'll discover more time for other issues. The > really hot thing about this device is that it does way more than what iptables > can do for you anyway and the device works independently of any operating > system. It is designed to work on networks faster dial-up; so it can sit > between the incoming signal and the router feeding the rest of the network > which means that anything coming past the device to the router is clean. So > anything connected to that router -- wireless or otherwise -- are also clean > as > far as the signals they are receiving. Of course, making sure the internal > nets are clean is the job of the sys.admin. > > Here's the link for you to review and consider: > > http://www.thinkgeek.com/computing/accessories/75f3/ > > Of course, you could refer to IPCop.org, netfilter.org, or tldp.org ... but > after the Stingray, all of that will become mere reference material. > > Best wishes.... Derick. > > On May 15, 2006, at 9:28 AM, Chris St. Pierre wrote: > >> Last week, I brought up iptables on my YDL 4 box with a very basic >> configuration, and all was working well. This morning, at about 8 am, >> it randomly started rejecting ping traffic. Restarting iptables did >> not solve the problem. My iptables configuration has not changed >> since Thursday afternoon. Here's my /etc/sysconfig/iptables: >> >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :RH-Firewall-1-INPUT - [0:0] >> -A INPUT -j RH-Firewall-1-INPUT >> -A FORWARD -j RH-Firewall-1-INPUT >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT >> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT >> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5308 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> >> As you can see, this is a very basic configuration that works on many >> other hosts -- and, in fact, worked on this host for a while, too. >> Any ideas? Thanks! >> >> Chris St. Pierre >> Unix Systems Administrator >> Nebraska Wesleyan University >> _______________________________________________ >> yellowdog-general mailing list >> [email protected] >> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general >> HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com' >> > > _______________________________________________ > yellowdog-general mailing list > [email protected] > http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general > HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com' > _______________________________________________ yellowdog-general mailing list [email protected] http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
