On Sun, 12 Dec 2010 05:30:23 -0800 (PST) S Mathias <smathias1972@xxxxxxxxx> wrote: > I have a small, simple firewall "script": > http://pastebin.com/raw.php?i=NChRyqVu > > Can I ask the mailing list, that look at it for a few moments, and > sort out the: > > - unnecessary things in it [if it contains any, like are there > solutions for write multiple destination ip's in one line?] > - missing thing, that could be in a firewall, to make it > _SAFER/BETTER_! > > TODO's/Q's [please help!]: > 1) where do i have to put the "iptables-restore FROMTHEFILE" command > [to set the firewall when e.g.: booting the pc] on Fedora? No need. Fedora has a iptables service. Setup the rules the way you like and then: service iptables save chkconfig iptables on It will save your rules in /etc/sysconfig/iptables. > 2) what is the best application firewall under linux? [links for good > howtos?] Not sure what you mean by application firewall. The default ruleset is pretty good for a normal client machine. You will need to open ports for services/servers, but client side it should let you go out fine. > 3) do i need a proxy? [i can guess that, that the http proxy on > localhost can filter the http, but what's with https? it's end-to-end > encrypted :O] You only need a proxy if there is something you would like to do with http or the like, for example caching for better speed, or filtering out ads and such. See squid and privoxy for those. > > 4) can i do something with the: "$IPTABLES -A INPUT -p tcp --dport > 20000 -j ACCEPT" - i'm seeding distros on torrent, but are there any > plus "options" to e.g.: only allow torrent traffic on port > 20000/input? Not easily. That rule is allowing any traffic on that port. You would need to use a module to try and determine if it's torrent traffic. However, if it's not, your client will disguard it anyhow. ;) > 5) on line 68: "$IPTABLES -A INPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT" - when i put a "-p tcp" in it, it > makes "funny" things - when i reopen my webbrowser, i "can't surf the > net", so i can't put the "-p tcp" in it? :( - just to ensure only tcp > comes IN. [why would i need anything else?? only OUTPUT udp needed, > no? :O + icmp ping output..] This rule is the statefull part of the filtering. It's saying that if you make an outgoing connection to somewhere, you should allow the incoming part of that back in. This is needed by more than tcp packets. You may need for example dns queries (using udp by default) to get back in when you send a request out. > 6) "is it safer", if i use a local dns cache? like "dnsmasq"? Safer in what sense? It's still getting data from somewhere. Do you trust it more than where you would get the data from to begin with? > 7) what does exactly "--state ESTABLISHED,RELATED" mean? why do i > have to write this to the start of my firewall script? This allows back in packages that are related or established. Ie, if you make a ssh connection out, the remote machine sends it's packets back in, and the firewall knows that they are part of a connect you started so they should be ok to allow back in. > 8) how could i block packets from: destinatio ip 255.255.255.255?? > "$IPTABLES -A INPUT -d 255.255.255.255 -j DROP" to the start of my > script DOESN'T help :O i used wireshark to get this info.. the > broadcast package was my routeros router. yes, thats a broadcast packet. Why would you need to block them? > sorry if i ask to much :\ but i need these answers :\ [and at least > it would be archived] No problem at all. > THANK YOU for any help regarding these things! enjoy. kevin
Attachment:
signature.asc
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
