[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] ipchains installation
- Subject: Re: [cobalt-users] ipchains installation
- From: "Rodolfo J. Paiz" <rpaiz@xxxxxxxxxxxxxx>
- Date: Sun Apr 22 13:35:03 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 4/23/01 11:08 AM +0800, you wrote:
>> Rodolfo wrote :
>>Why on Earth would you use a default ACCEPT policy?
Just thinking if I were to start from scratch and the server is live, I
would want my clients to be able to access at the same time while I'm
building the rules myself. I know the process is tedious and there are
ready-made rules out there but in order to know what u r doing and undestand
the concept, one has to have hands-on experience.Agree?
Agree.
Still, some suggestions:
* Put RedHat on a throwaway box (or on your work notebook as I did, in
dual-boot), and futz with that to your heart's content. Since you're *at*
"the console" you cannot lock yourself out and can thus test with impunity.
(I also configured the RH on my notebook as closely as possible to that on
the server... no sound, nothing; only extra thing is X.)
* When you set the rules, make sure that rule 1 is "allow SSH" and rule 2
is "allow admin-web-serv". Request logging on these rules. Set default
policy to ACCEPT and try to connect a couple of times. If it works, remove
the logging on rules 1 and 2. Now...
* Make sure that you use "/sbin/ipchains -A input..." to *append* all other
new rules to the end of the input chain. (In theory this makes no
difference; but for some silly reason it makes me feel better to know that
accepting SSH is the first thing ipchains does.)
* When you have the full ruleset created, leave an SSH window running and
switch the default policy to DENY. Quickly test all useful services,
correct problems if any.
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx