[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Pointers for ipfwadm on RaQ2?
- Subject: Re: [cobalt-users] Pointers for ipfwadm on RaQ2?
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Thu Apr 11 08:29:50 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Date: Thu, 11 Apr 2002 18:25:32 -0400
> From: Glenn Parsons <gparsons@xxxxxxxxxxxxx>
> Would anyone have some pointers as to how to install rules and
> maybe a good rule-set for some RaQ2s, currently running only
> DNS?
>
> They are and will remain dedicated DNS servers.
I'd need to brush up on ipfwadm for specifics, but a few general
hints:
+ Block bogons and RFC1918 space
+ Don't block ICMP unreachables (ICMP type 3)
+ Allow traffic to UDP/53, both inbound and outbound
+ Allow to and from TCP/53 and TCP/22
+ Run sshd
+ Block what you don't need.
I'm 99% positive that ipfwadm was not stateful, so you alas can't
keep state. :-(
Do you wish to FTP to/from the entire world, a single machine
under your control, or not at all? The above rules don't allow
FTP...
Also: I personally like to have an alternate ruleset with a few
ports open. (Hint: When upgrading sshd, it's much safer to run
the new on an alternate port for testing, kill the old, and copy
the new binary into place.)
I imagine that if you feed a few of those keywords into Google,
you should get a good start...
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.