Re: iptables support?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 10 Dec 2005, Tim wrote:

Though, I would have thought that on a server you really wouldn't want a
default input accept policy.  You'd have to be *very* *sure* that
everything on that server was internally ignoring connections that
shouldn't be allowed to the outside world.  At least a default deny/drop
incoming policy gives you some measure of protection against surprises.

To have default policy drop, on a high loaded server, stresses connection tracking, I'm talking about 4K+ users, we'd had boxes start to bail around there, no mater how much fine tuning we did, without fine tuning they crack up at around 2.5K

Also even with only a mere single user, it can be a problem if you run an ftp server due to the way ftp works with its data port etc, most of our servers have 22 filtered on the router, then iptables handles the rest, like explicit allow for 80 if its a web serer, 25/110 if its mail server, then block everything else 1-1023, 3306 (sql) and 2 other ports used with
apcupsd.


--
Cheers
Res


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux