[plug] iptables rules
Jon Miller
jlmiller at mmtnetworks.com.au
Tue May 20 16:19:59 WST 2003
Have done this already.
Jon L. Miller, MCNE, CNS
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au
"I don't know the key to success, but the key to failure
is trying to please everybody." -Bill Cosby
>>> craig at postnewspapers.com.au 3:42:16 PM 20/05/2003 >>>
>>>I want to stop the following ports from being listed
>
>
> (a) If you are running public services on an unfirewalled machine but
> don't want them to the public: reconfigure your daemons to stop
> making their services public.
Its generally a good idea to use firewalling rules to add another layer
of security in this case, though. After all, if you (say) upgrade apache
and a package script "fixes" your httpd.conf for the new version, its
nice to have another layer of protection.
I tend to restrict the interfaces daemons bind on, if possible, then
restrict the IP ranges they'll talk to via their own config and/or
hosts.{allow,deny}, and have a firewall ruleset that only allows
specific services to be visible to the outside world. That way, if I
stuff something up, I'm likely to get a chance to catch it.
I do, of course, stuff it up.
> (b) If you are running public services but wish to restrict them
> to only "friendly" hosts: configure your packet filter
> to issue 'connection refused' to any non-friendly hosts
> (solves Ben's problem).
Ideally also reconfigure the daemon or hosts.allow/deny to restrict the
IP range, as an additional layer of paranoia.
Craig
More information about the plug
mailing list