[plug] iptables rules
Craig Ringer
craig at postnewspapers.com.au
Tue May 20 15:42:16 WST 2003
>>>I want to stop the following ports from being listed
>
>
> (a) If you are running public services on an unfirewalled machine but
> don't want them to the public: reconfigure your daemons to stop
> making their services public.
Its generally a good idea to use firewalling rules to add another layer
of security in this case, though. After all, if you (say) upgrade apache
and a package script "fixes" your httpd.conf for the new version, its
nice to have another layer of protection.
I tend to restrict the interfaces daemons bind on, if possible, then
restrict the IP ranges they'll talk to via their own config and/or
hosts.{allow,deny}, and have a firewall ruleset that only allows
specific services to be visible to the outside world. That way, if I
stuff something up, I'm likely to get a chance to catch it.
I do, of course, stuff it up.
> (b) If you are running public services but wish to restrict them
> to only "friendly" hosts: configure your packet filter
> to issue 'connection refused' to any non-friendly hosts
> (solves Ben's problem).
Ideally also reconfigure the daemon or hosts.allow/deny to restrict the
IP range, as an additional layer of paranoia.
Craig
More information about the plug
mailing list