Forum Replies Created
My apologies Fluvio, I now see that we do indeed look at the source of the incoming requests. Good job, you thought ahead indeed.
BillFebruary 26, 2009 at 8:34 am in reply to: Firewall Configuration – No internet, just internal networks #47649
vapor, you are on the right track. I will strongly disagree with others who say the default should not be DENY. It will be the LAST rule in the chain and thus should be DENY.
But, when you set your tables up you may want to do it like so:
# Flush all the previous rules
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT
# Disable all routing until rules are in place
/sbin/iptables -P INPUT DENY
/sbin/iptables -P FORWARD DENY
/sbin/iptables -P OUTPUT DENY
# Now, add the FORWARD rules
/sbin/iptables -A FORWARD … becomes rule 2
/sbin/iptables -A FORWARD … becomes rule 1
#NOTE, each time you add a rule, it becomes the first one in the chain, so the DENY rule is indeed the default rule (3)
# Lastly, allow the INPUT and OUTPUT traffic
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
This is certainly not complete or an exhaustive description, you may want to look at:
NFS can be used on Windows. But, I really did not mean to indicate that NFS should be a server on zeroshell, just that it should be possible to mount a filesystem via NFS. This is a small addition to ZS.
This way, one could backup and indeed update modules from a central repository, dump stats for offline processing (bandwidth usage, etc..).
I should have been clearer. I agree with others, as a high security network admin, I would never permit a firewall/router to be a file server of any form, Samba (CIFS), NFS or others. Hardening the system in any environment is difficult let alone in the 1G space we have for the non-volatile boot media.
Good job with ZS however CIFS (samba) may not be the best choice. If you are CIFS server it is nasty see 2. below, if only CIFS client (which is of limited use) — I’d rather see NFS support, at lease client support.
I suggest NFS over CIFS for a few reasons:
1. CIFS is a mess! Lots of unneeded traffic on the network – requires SMB and NMB daemon (for server) support which are really messy.
2. Configuration of CIFS is difficult for users – I fix smb.conf all the time and there are too many options.
3. Support for client is not too much trouble (e.g., mount -t cifs …) but would require cooperation with the Windows config to work well. Frankly, the only thing this brings to the party is the ability to talk to Windows filesystems. Is it worth it?
4. NFS is much simpler to implement (either as server or client) and in the network environment much more useful.
Thanks for listening,