|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] Suse 8.2 firewall configuration: blocking port 25 from the internal network
From: Wilfred van Velzen (w.v.velzen
sercom.nl)
Date: Tue Mar 23 2004 - 01:28:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>>> Arjen de Korte <suse-securityde-korte.org> 2004-03-22 20:22:00 >>>
> On Monday 22 March 2004 09:05, Wilfred van Velzen wrote:
>
> > Our policy is to let anything go out. ;-)
>
> That's not a policy. That's unrestricted access by default and trying
to plug
> all the holes you leave open. Rest assured, your users will find ways
around
> your blockade in no time (there are plenty forwarders available). In
time
> you'll find that closing everything by default and opening what's
allowed to
> be far easier (and secure) to administrate.
This blockage was just to prevent accidental virus contaminations to
bother the outside internet, not to prevent users to do certain things.
> > I changed this to:
> >
> > iptables -A forward_int -s 192.168.0.1 -p tcp --dport 25 -j ACCEPT
> > iptables -A forward_int -p tcp --dport 25 -j REJECT
> >
> > Because our email server needs to be able to go through!
>
> Since you have left everything wide open, you could put all of this
in one
> line:
>
> iptables -A forward_int -s ! 192.168.0.1/32 -p tcp --dport 25 -j
DROP
Ok. Do I need to specify the interface here? Or won't this prevent smtp
connections from the outside to reach the mailserver on the inside?
> It is almost always better to DROP connections, than to REJECT them.
Since the
> SuSEfirewall2 scripts provides a pretty CPU intensive set of rules
by
> default, it makes sense to keep your own additions as limited as
possible.
On the outside sure, but on the inside of a firewall? I want to keep
the machine's on the inside running as fast as possible. Dropping might
slow them down a bit...
Met vriendelijke groet / Best regards,
Wilfred van Velzen
--
SERCOM Regeltechniek b.v.
Heereweg 9
2161 AB Lisse
Nederland
+31 (0)252 416530 (voice)
+31 (0)252 419481 (fax)
<http://www.sercom.nl/>
Op al onze offertes, op alle opdrachten aan ons en op alle met ons gesloten
overeenkomsten zijn toepasselijk de METAALUNIEVOORWAARDEN, gedeponeerd ter
Griffie van de Rechtbank te Rotterdam, zoals deze luiden volgens de
laatstelijk aldaar neergelegde tekst. De leveringsvoorwaarden worden u op
verzoek toegezonden.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]