Re: recommend hardware firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/05/2010 10:15 AM, Mikkel wrote:
> On 04/05/2010 11:51 AM, Michael Miles wrote:
>    
>> On 04/05/2010 09:34 AM, Mikkel wrote:
>>      
>>> On 04/05/2010 11:16 AM, Michael Miles wrote:
>>>
>>>        
>>>> I'm not too bad with firewalls but I am used to more detailed firewall
>>>> software.
>>>> I just came from the hell they call Win 7 and I was using Bitdefender
>>>> for the last couple of years.
>>>> I'm just using the firewall that comes with Fedora 12, is there better
>>>> firewall software out there.
>>>>
>>>>
>>>>          
>>> Not for the actual firewall, but there are different front-ends for
>>> configuring it. You can pick the one that works best for you, or
>>> write your own firewall rules by hand.
>>>
>>> The actual firewall is part of the kernel. What the firewall
>>> software does is help you configure that firewall. When I played
>>> with Windows, the firewall was an add-on - kind of an afterthought.
>>> I don't know if this is still true.
>>>
>>> Mikkel
>>>
>>>        
>> It is all add on with windows
>>
>> I tell you my 4 core Phenom II 945 has more than doubled speed going
>> from Win 7 x64 to Fedora 12.
>>
>> These front ends for the firewall in Fedora. Is there one in particular
>> the you use
>>
>> Michael
>>      
> I usually use system-config-firewall, as the needs on my desktop and
> laptop are fairly simple. I do have 2 sets of rules for the laptop,
> depending on weather I am home or traveling. When I am home, the
> network is behind a hardware firewall as well. But your needs may
> differ from mine.
>
> On a side note, if you want to see the firewall rules set up by the
> front end, take a look a /etc/sysconfing/iptables and ip6tables. You
> can also run "iptables -L" to see the rules currently in affect. The
> iptables command will also let you modify rules without going
> through a GUI.
>
> Mikkel
>    
It looks like the default desktop config for firewall lets everything 
through

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         state NEW 
udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            state NEW 
udp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            state NEW 
udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW 
udp dpt:netbios-dgm
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with 
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination





This is my iptables file

   :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 
-j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT



And ip6tables


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m ipv6header --header ah -j ACCEPT
-A INPUT -m ipv6header --header esp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j 
ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT



Michael






-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux