[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Firewall
- Subject: [cobalt-users] Firewall
- From: "Todd W" <twooly@xxxxxxxxx>
- Date: Tue Apr 22 18:29:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
I am in the process of setting up a firewall on my server and want to check
and see if this is a good rule set before I go wild with it.
My server is running:
ssh allow only 3 static ips in.
ftp
web
pop3
smtp
ssl
controlpanel
frontpage extensions
asp site
mysql would like to allow my static ip to connect
dns server
Here is my chainrules
ipchains -A input -i eth0 -p tcp --destination-port 137 --syn -j DENY
# TCP
# serve ftp for NON-passive clients_ONLY_
ipchains -A input -i eth0 -p tcp --destination-port 20:21 --syn -j ACCEPT -l
# serve ssh - 22
ipchains -A input -i eth0 -p tcp --destination-port 22 --syn -j ACCEPT -l
# serve smtp - 25
ipchains -A input -i eth0 -p tcp --destination-port 25 --syn -j ACCEPT
# serve http - 80
ipchains -A input -i eth0 -p tcp --destination-port 80 --syn -j ACCEPT
# serve https admin - 81
ipchains -A input -i eth0 -p tcp --destination-port 81 --syn -j ACCEPT -l
# serve pop3 - 110
ipchains -A input -i eth0 -p tcp --destination-port 110 --syn -j ACCEPT
# disallow SYN on all else
ipchains -A input -i eth0 -p tcp --syn -j DENY -l
#keep rackshack monitor from filling logs
ipchains -A input -i eth0 --source 207.218.223.135 -j DENY
#allow gateway
ipchains -A input -i eth0 --source My Gateway -j ACCEPT
# allow existing TCP sessions to continue
ipchains -A input -i eth0 -p tcp -j ACCEPT
# UDP
# DNS response
ipchains -A input -i eth0 -p udp --source My Primary IP 53 -j ACCEPT
ipchains -A input -i eth0 -p udp --source My Secondary IP 53 -j ACCEPT
# ICMP allowed
ipchains -A input -i eth0 -p icmp -j ACCEPT
# serve https admin - 443
ipchains -A input -i eth0 -p tcp --destination-port 443 --syn -j ACCEPT -l
# disallow all else
ipchains -A input -i eth0 -j DENY -l
Thanks
--Todd