Re: Border protection for Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 12 Dec 2010 05:30:23 -0800 (PST)
S Mathias <smathias1972@xxxxxxxxx> wrote:

> I have a small, simple firewall "script":
> http://pastebin.com/raw.php?i=NChRyqVu
> 
> Can I ask the mailing list, that look at it for a few moments, and
> sort out the: 
> 
>  - unnecessary things in it [if it contains any, like are there
> solutions for write multiple destination ip's in one line?]
>  - missing thing, that could be in a firewall, to make it
> _SAFER/BETTER_!
> 
> TODO's/Q's [please help!]: 
> 1) where do i have to put the "iptables-restore FROMTHEFILE" command
> [to set the firewall when e.g.: booting the pc] on Fedora?

No need. Fedora has a iptables service. 

Setup the rules the way you like and then: 

service iptables save
chkconfig iptables on

It will save your rules in /etc/sysconfig/iptables. 

> 2) what is the best application firewall under linux? [links for good
> howtos?]

Not sure what you mean by application firewall. 
The default ruleset is pretty good for a normal client machine. 
You will need to open ports for services/servers, but client side it
should let you go out fine. 

> 3) do i need a proxy? [i can guess that, that the http proxy on
> localhost can filter the http, but what's with https? it's end-to-end
> encrypted :O]

You only need a proxy if there is something you would like to do with
http or the like, for example caching for better speed, or filtering
out ads and such. See squid and privoxy for those. 
> 
> 4) can i do something with the: "$IPTABLES -A INPUT -p tcp --dport
> 20000 -j ACCEPT" - i'm seeding distros on torrent, but are there any
> plus "options" to e.g.: only allow torrent traffic on port
> 20000/input?

Not easily. That rule is allowing any traffic on that port. You would
need to use a module to try and determine if it's torrent traffic.
However, if it's not, your client will disguard it anyhow. ;) 

> 5) on line 68: "$IPTABLES -A INPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT" - when i put a "-p tcp" in it, it
> makes "funny" things - when i reopen my webbrowser, i "can't surf the
> net", so i can't put the "-p tcp" in it? :( - just to ensure only tcp
> comes IN. [why would i need anything else?? only OUTPUT udp needed,
> no? :O + icmp ping output..]

This rule is the statefull part of the filtering. It's saying that if
you make an outgoing connection to somewhere, you should allow the
incoming part of that back in. This is needed by more than tcp packets.
You may need for example dns queries (using udp by default) to get back
in when you send a request out. 

> 6) "is it safer", if i use a local dns cache? like "dnsmasq"? 

Safer in what sense? It's still getting data from somewhere. Do you
trust it more than where you would get the data from to begin with?

> 7) what does exactly "--state ESTABLISHED,RELATED" mean? why do i
> have to write this to the start of my firewall script?

This allows back in packages that are related or established. Ie, if
you make a ssh connection out, the remote machine sends it's packets
back in, and the firewall knows that they are part of a connect you
started so they should be ok to allow back in. 

> 8) how could i block packets from: destinatio ip 255.255.255.255??
> "$IPTABLES -A INPUT -d 255.255.255.255 -j DROP" to the start of my
> script DOESN'T help :O i used wireshark to get this info.. the
> broadcast package was my routeros router.

yes, thats a broadcast packet. Why would you need to block them?

> sorry if i ask to much :\ but i need these answers :\ [and at least
> it would be archived]

No problem at all. 

> THANK YOU for any help regarding these things!

enjoy. 

kevin

Attachment: signature.asc
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux