Re: Border protection for Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


S Mathias:

Firstly, please do NOT post in HTML.  Amongst all the other annoyances,
it makes it difficult to quote content when we're replying.

Now, onto your email...
> I have a small, simple firewall "script":

Be careful about blocking ICMP if you do not understand it.  If you
block too much, you will kill off your traffic.

Are you going to use the logs you're making?  If not, then there's no
point making logs.  You'll just be filling up drive space.

Setting default policies to ACCEPT then DROP seems silly to me.  And,
there's a (small) chance you allow something through before the DROP
rule gets set.  I set my incoming rules to DROP, *then* punch holes in.

You *may* need to be more allowing with DNS rules.  It depends on how
your DNS resolver works.  Does it *only* use those upstream servers?
Or, if they can't answer it, does it directly go to the server for the
top level domain?

> Can I ask the mailing list, that look at it for a few moments, and
> sort out the: 
>  - unnecessary things in it [if it contains any, like are there
> solutions for write multiple destination ip's in one line?]
>  - missing thing, that could be in a firewall, to make it
> TODO's/Q's [please help!]: 
> 1) where do i have to put the "iptables-restore FROMTHEFILE" command
> [to set the firewall when e.g.: booting the pc] on Fedora?

> 2) what is the best application firewall under linux? [links for good
> howtos?]

What do you mean?  Do you mean, like Windows, where a firewall can act
upon particular applications (i.e. allow/block Firefox as a program,
rather than use TCP/IP rules)?  Or, do you merely mean some helper
program that lets you easily set up firewall rules, instead of doing it
by hand with the command line?

> 3) do i need a proxy? [i can guess that, that the http proxy on
> localhost can filter the http, but what's with https? it's end-to-end
> encrypted :O]
If things work without one, you don't "need" one.  Do you want a proxy?
You can use them as a censoring/filtering tool.  You can use them to
speed up access to the same resources by multiple computers on a LAN
(e.g. everyone reading the news in an office, or doing all their
software updates, of the same software on different computers), but it
won't help when people are not repeatedly browsing the same things (i.e.
you read a page once, different people reading completely different
> 4) can i do something with the: "$IPTABLES -A INPUT -p tcp --dport
> 20000 -j ACCEPT" - i'm seeding distros on torrent, but are there any
> plus "options" to e.g.: only allow torrent traffic on port
> 20000/input?
If you're going to apply rules to things like torrents, you're going to
need to configure your torrent software appropriately, too.  If you
block something vital to how it (currently) works, it's not going to
work right.
> 5) on line 68: "$IPTABLES -A INPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT" - when i put a "-p tcp" in it, it makes
> "funny" things - when i reopen my webbrowser, i "can't surf the net",
> so i can't put the "-p tcp" in it? :( - just to ensure only tcp comes
> IN. [why would i need anything else?? only OUTPUT udp needed, no? :O +
> icmp ping output..]
> 7) what does exactly "--state ESTABLISHED,RELATED" mean? why do i have
> to write this to the start of my firewall script?
Points 5 and 7 are related.  The ESTABLISHED,RELATED clause is about
dealing with other traffic that's related to something that you've

Some things are quite involved, with traffic going back and forth on
different ports, sometimes not always the same port.  That makes it very
hard to come up with fixed rules.  But this makes it easier.

The thing that I always wonder about, but never actually looked into, is
how it determines what's appropriate.  Such as, if I browse a website, I
don't think that it making a connection back to my mail server (from the
same IP as the website) would be an appropriate "related" connection.
> 6) "is it safer", if i use a local dns cache? like "dnsmasq"?
"Safer" than what?  Do you keep up-to-date with security issues in your
resolver?  Do you do it better than your ISP?

I use BIND, because every ISP I've ever used has had crap DNS servers,
either all the time, or from time to time.  Other people have issues
with censorship, something I'll have to deal with eventually, if the
Great Moronic Firewall of Australia ever actually happens.

> 8) how could i block packets from: destinatio ip
> "$IPTABLES -A INPUT -d -j DROP" to the start of my
> script DOESN'T help :O i used wireshark to get this info.. the
> broadcast package was my routeros router.
I would be highly cautious about such a wildcard block.  e.g. If you use
a DHCP server to assign an IP address to your computer, you're probably
going to block yourself off from the DHCP server.  Likewise with other
networking housekeeping.  Though, probably, most home routers don't
bother doing any of the stuff that they could do.

Just because something noticed networking activity within your LAN, that
you don't understand, doesn't necessarily mean that it should be

[[email protected] ~]$ uname -r

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

users mailing list
[email protected]
To unsubscribe or change subscription options:

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux