S Mathias: Firstly, please do NOT post in HTML. Amongst all the other annoyances, it makes it difficult to quote content when we're replying. Now, onto your email... > > I have a small, simple firewall "script": > http://pastebin.com/raw.php?i=NChRyqVu Be careful about blocking ICMP if you do not understand it. If you block too much, you will kill off your traffic. Are you going to use the logs you're making? If not, then there's no point making logs. You'll just be filling up drive space. Setting default policies to ACCEPT then DROP seems silly to me. And, there's a (small) chance you allow something through before the DROP rule gets set. I set my incoming rules to DROP, *then* punch holes in. You *may* need to be more allowing with DNS rules. It depends on how your DNS resolver works. Does it *only* use those upstream servers? Or, if they can't answer it, does it directly go to the server for the top level domain? > Can I ask the mailing list, that look at it for a few moments, and > sort out the: > > - unnecessary things in it [if it contains any, like are there > solutions for write multiple destination ip's in one line?] > - missing thing, that could be in a firewall, to make it > _SAFER/BETTER_! > > TODO's/Q's [please help!]: > 1) where do i have to put the "iptables-restore FROMTHEFILE" command > [to set the firewall when e.g.: booting the pc] on Fedora? > 2) what is the best application firewall under linux? [links for good > howtos?] What do you mean? Do you mean, like Windows, where a firewall can act upon particular applications (i.e. allow/block Firefox as a program, rather than use TCP/IP rules)? Or, do you merely mean some helper program that lets you easily set up firewall rules, instead of doing it by hand with the command line? > 3) do i need a proxy? [i can guess that, that the http proxy on > localhost can filter the http, but what's with https? it's end-to-end > encrypted :O] > If things work without one, you don't "need" one. Do you want a proxy? You can use them as a censoring/filtering tool. You can use them to speed up access to the same resources by multiple computers on a LAN (e.g. everyone reading the news in an office, or doing all their software updates, of the same software on different computers), but it won't help when people are not repeatedly browsing the same things (i.e. you read a page once, different people reading completely different things). > > 4) can i do something with the: "$IPTABLES -A INPUT -p tcp --dport > 20000 -j ACCEPT" - i'm seeding distros on torrent, but are there any > plus "options" to e.g.: only allow torrent traffic on port > 20000/input? > If you're going to apply rules to things like torrents, you're going to need to configure your torrent software appropriately, too. If you block something vital to how it (currently) works, it's not going to work right. > > 5) on line 68: "$IPTABLES -A INPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT" - when i put a "-p tcp" in it, it makes > "funny" things - when i reopen my webbrowser, i "can't surf the net", > so i can't put the "-p tcp" in it? :( - just to ensure only tcp comes > IN. [why would i need anything else?? only OUTPUT udp needed, no? :O + > icmp ping output..] > > > 7) what does exactly "--state ESTABLISHED,RELATED" mean? why do i have > to write this to the start of my firewall script? > Points 5 and 7 are related. The ESTABLISHED,RELATED clause is about dealing with other traffic that's related to something that you've allowed/denied. Some things are quite involved, with traffic going back and forth on different ports, sometimes not always the same port. That makes it very hard to come up with fixed rules. But this makes it easier. The thing that I always wonder about, but never actually looked into, is how it determines what's appropriate. Such as, if I browse a website, I don't think that it making a connection back to my mail server (from the same IP as the website) would be an appropriate "related" connection. > > 6) "is it safer", if i use a local dns cache? like "dnsmasq"? > "Safer" than what? Do you keep up-to-date with security issues in your resolver? Do you do it better than your ISP? I use BIND, because every ISP I've ever used has had crap DNS servers, either all the time, or from time to time. Other people have issues with censorship, something I'll have to deal with eventually, if the Great Moronic Firewall of Australia ever actually happens. > 8) how could i block packets from: destinatio ip 255.255.255.255?? > "$IPTABLES -A INPUT -d 255.255.255.255 -j DROP" to the start of my > script DOESN'T help :O i used wireshark to get this info.. the > broadcast package was my routeros router. > I would be highly cautious about such a wildcard block. e.g. If you use a DHCP server to assign an IP address to your computer, you're probably going to block yourself off from the DHCP server. Likewise with other networking housekeeping. Though, probably, most home routers don't bother doing any of the stuff that they could do. Just because something noticed networking activity within your LAN, that you don't understand, doesn't necessarily mean that it should be blocked. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
