Re: Linux Home Server HOWTO - Open For Review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Christopher K. Johnson wrote:

In the SSH section - I highly recommend disabling protocol 1, making the sshd_config line:
Protocol 2

I agree. Although it is rare that this might be exploited I think its best to be safe.
I was considering key authentication, possibly next revision as you suggest.


Back to the current document.
In the NFS section - an nfs3 configuration for which access can be restricted by firewall rules can be achieved easily.

Thanks for the NFS firewalling info its great information, although I would probably consider this more of an advanced user topic. I'll see how we go.


By the way I believe in a stateful firewall the inquiries initiated by ntpd do not need firewall rules to permit their response. It is only when broadcasts are listened for that a firewall hole is needed to listen for them. So when using specific ntp servers and you have a rule such as your:
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
...then ntpd should work fine. It appears that the insertion of iptables rules in the ntpd start script is no longer done in FC3. If memory serves - those specifically targeted the RH-Firewall-1-INPUT table anyhow, and you are not using that table.

You are correct with both the FC3 initscripts and the firewall rules, I've flagged the NTP comment box for possible deletion in coming revisions, I'll leave it just for the time being as a precautionary (this chapter is distro generic info, so it may still affect some users).


Lastly I would include a small section below Packet Forwarding within Firewall Concepts to introduce the use of sysctl.conf control of ecn and tcp window scaling since these can cause problems with some routers, firewalls, etc. So knowing how to turn them off is useful

The sysctl probably wouldn't hurt new users, I'll keep the info handy and see what I can do with it (have to make it simple).



Chris,

Thanks for the feedback.

I have made some minor adjustments to the document and flagged other sections for future review based on your suggestions.

Thanks for your time.

Cheers,
Miles.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux