Archived from groups: comp.security.firewalls (More info?)
I have an RH9 Linux system running as Router/FW.
IPTables 1.2.9 on it and running happily.
Would the following be a sound idea, as to maintainablility of the
IPTables rules and the effectiveness and security of the FW:
Immediately after the running of a script in /etc/rc3.d a partial
IPTables script must run, to open up the FW for any necessary
ports/protocols/etc. related to that /etc/rc3.d script.
example and problem:
just after running the /etc/rc.d/init.d/named script, the FW must be
opened for protocol UDP/port 53.
If it is not opened, the subsequent ntpd script would not work, for it
opens the FW for a few timeservers, not given by IP number, but by
FQN. And it would log a few packet refusals, if not opened
immediately.
same goes for other servers, that need specific ports open. (Or, more
general, need specific IPTables rules effective): samba, apache,
sendmail...
For this, I would make a parallel directory for the partial IPTables
scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
by a mechanism incorporated in the /etc/rc.d mechanism (S08named
things)
Question is, how would I incorporate this parallel mechanism in the
startup scripts and where ?
fr gr
Erik
I have an RH9 Linux system running as Router/FW.
IPTables 1.2.9 on it and running happily.
Would the following be a sound idea, as to maintainablility of the
IPTables rules and the effectiveness and security of the FW:
Immediately after the running of a script in /etc/rc3.d a partial
IPTables script must run, to open up the FW for any necessary
ports/protocols/etc. related to that /etc/rc3.d script.
example and problem:
just after running the /etc/rc.d/init.d/named script, the FW must be
opened for protocol UDP/port 53.
If it is not opened, the subsequent ntpd script would not work, for it
opens the FW for a few timeservers, not given by IP number, but by
FQN. And it would log a few packet refusals, if not opened
immediately.
same goes for other servers, that need specific ports open. (Or, more
general, need specific IPTables rules effective): samba, apache,
sendmail...
For this, I would make a parallel directory for the partial IPTables
scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
by a mechanism incorporated in the /etc/rc.d mechanism (S08named
things)
Question is, how would I incorporate this parallel mechanism in the
startup scripts and where ?
fr gr
Erik