[plug] iptables rules

Craig Ringer craig at postnewspapers.com.au
Tue May 20 15:42:16 WST 2003


>>>I want to stop the following ports from being listed
> 
> 
> (a) If you are running public services on an unfirewalled machine but
>     don't want them to the public: reconfigure your daemons to stop
>     making their services public.

Its generally a good idea to use firewalling rules to add another layer 
of security in this case, though. After all, if you (say) upgrade apache 
and a package script "fixes" your httpd.conf for the new version, its 
nice to have another layer of protection.

I tend to restrict the interfaces daemons bind on, if possible, then 
restrict the IP ranges they'll talk to via their own config and/or 
hosts.{allow,deny}, and have a firewall ruleset that only allows 
specific services to be visible to the outside world. That way, if I 
stuff something up, I'm likely to get a chance to catch it.

I do, of course, stuff it up.

> (b) If you are running public services but wish to restrict them
>     to only "friendly" hosts: configure your packet filter
>     to issue 'connection refused' to any non-friendly hosts
>     (solves Ben's problem).

Ideally also reconfigure the daemon or hosts.allow/deny to restrict the 
IP range, as an additional layer of paranoia.

Craig




More information about the plug mailing list