On Tue, Aug 16, 2005 at 02:16:40PM -0400, Fred OGrady wrote: > Is there a recommended Lockdown that will allow the safest use of my > Debian Sarge box on the Net?
Yes - a default deny iptables-based firewall. First, if you need a brush-up on networking concepts, read [1]. Either way give [2] a perusal. Here's what you'll do next: # apt-get install iptables # $EDITOR /etc/firewall.rules Paste in the following (adapted from [3]): *filter :INPUT ACCEPT [363:465980] :FORWARD DROP [0:0] :OUTPUT ACCEPT [364:19123] :block - [0:0] -A INPUT -j block -A block -m state --state RELATED,ESTABLISHED -j ACCEPT -A block -i lo -m state --state NEW -j ACCEPT -A block -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT -A block -j DROP Where 'eth0' is your primary network interface (it might be ppp0 if you use dial-up); and the 8080 rule is for your web server (which you could run on another port by adjusting that rule as required). edit /etc/network/interfaces, and add the following to your primary interface: pre-up iptables -F pre-up iptables-restore < /etc/firewall.rules (see /usr/share/doc/iptables/README.Debian.gz for rationale) Next time you up your interface, the firewall rules will first be cleared and then the ones in /etc/firewall.rules loaded. Either drop and restore your interface, or do the latter step manually right now: # iptables-restore < /etc/firewall.rules Check you have 'em in # iptables -L > Security Events The listed events show failed attempts to access your box. By disabling external access to ssh, these will not appear. [1] http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html [2] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html [3] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html -- Jon Dowland http://jon.dowland.name/ FD35 0B0A C6DD 5D91 DB7A 83D1 168B 4E71 7032 F238 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
