Good day,
I was wondering if you could help me with suggestions or methods to
hardening a Linux firewall running Redhat 7.2 Kernel 2.4, with Iptables
1.2.5 and Shorewall 1.4.1a ?
Thank you
On Mon, 2003-07-28 at 08:39, james.lopez wrote:> Good day, > > I was wondering if you could help me with suggestions or methods to > hardening a Linux firewall running Redhat 7.2 Kernel 2.4, with Iptables > 1.2.5 and Shorewall 1.4.1a ?My usual suggestions are: 1. Remove all unnecessary RPMs. 2. Don''t run any more services than are absolutely necessary. 3. Unless a service absolutely must be available from the internet, configure it to listen on internal addresses only. 4. Configure Shorewall to come up before your network interfaces (some Shorewall features will not be available if you adopt this approach). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Bharath S. Narayan
2003-Jul-28 11:38 UTC
[Shorewall-users] Shorewall configuration Question
Hello, I have Shorewall 1.4.5 and once I am on the server via internal network via ssh. I am unable to ssh to other linux servers via that interface. Is there any rule that I need to add to allow access (eth1 in my case, the internal network) for this to work. The second question I have is about FTP. When I try to perform FTP. The connections are always Passive but when I do a mget on the host ( connected from the LAN to NET) I get Connect refused. Is it not true that Passive FTP''s use ports at random when connected. Should there be certain ports opened on the Firewall for this? Thanks in advance Cheers Bharath
Tom Eastep wrote:> My usual suggestions are: > > 1. Remove all unnecessary RPMs. > 2. Don''t run any more services than are absolutely necessary. > 3. Unless a service absolutely must be available from the internet, > configure it to listen on internal addresses only. > 4. Configure Shorewall to come up before your network interfaces (some > Shorewall features will not be available if you adopt this approach).He could also take a look at a hardening script, Bastille-Linux, http://www.bastille-linux.org/, that guides you through the process of hardening your installation, step by step, aimed specifically for the Red Hat and Mandrake crowd. Tom, have you ever tried that out and put Shorewall in front of it? Alas, I''m a Slacker, I do things the hard way! :) Regards, -- Patrick Benson Stockholm, Sweden
On Mon, 2003-07-28 at 13:21, Patrick Benson wrote:> Tom, have you ever tried that out and put > Shorewall in front of it?No, I haven''t. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-07-28 at 11:38, Bharath S. Narayan wrote:> Hello, > I have Shorewall 1.4.5 and once I am on the serverI assume that by "server", you mean your "firewall/gateway/router" (the system where Shorewall runs). "Server" is a really bad term to use when referring to this system since those of us answering questions on this list think of a server as a system that accepts and services requests (e.g., web server, mail server, DNS server) and in most sane environments the "server" is a system separate from the "firewall/gateway/router".> via internal network via > ssh. I am unable to ssh to other linux servers via that interface. Is there > any rule that I need to add to allow access (eth1 in my case, the internal > network) for this to work.You want to ACCEPT these connections. Where is the SOURCE of these connections? -- the Firewall ($FW). Where is the DESTination for these connections? -- the Local Zone (loc) What PROTOCOL does SSH use? -- tcp What PORT(S) does SSH use? -- 22 I hope you can construct the proper rule given the above hints.> The second question I have is about FTP. When I > try to perform FTP. The connections are always Passive but when I do a mget > on the host ( connected from the LAN to NET) I get Connect refused. Is it > not true that Passive FTP''s use ports at random when connected. Should there > be certain ports opened on the Firewall for this?It''s hard to break this (it normally "just works") -- are you running a standard vendor kernel? If so, are the "ip_conntrack_ftp" and "ip_nat_ftp" modules loaded? If so, is the FTP server that you are connecting to listening on port 21? If not, please see "http://www.shorewall.net/ports.htm and read the part about FTP. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net