[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is it secure enough




Erez Doron wrote:

> I've used my linux as firewall.
> 
> i have one ip connected to the internet.
> i use ip-masq for internal computers
> i use ipfwadm to disable ip-spoofing
> i use /etc/hosts.allow & /etc/hosts.deny to allow only local computers
> 
> 
> i should menstion here, that the linux-firewall is
> a fully oprational machine ( i.e. mail, nfs, web, ftp , ... )
> 
> the question is : is it secure enough ? are there aother things
> i should know of or do ?

If you want security, the best way to achieve it is to set a policy of
deny on each of the input, forwarding and output firewalls, and then
add rules to allow only that which you specifically wish to allow.

Make all of your rules as specific as possible, and if any part of a
rule is wildcarded, then consider adding extra reject/deny rules for
any special cases. e.g. if you have an allow rule which applies to an
entire network or subnet, add deny rules for the broadcast address.

Don't accept packets from addresses which don't correspond to the
interface on which they arrive.

-- 
Glynn Clements <glynn@sensei.co.uk>