Before Debian, what Linux distribution you were using ?
Red Hat / Fedora Mandrake Suse Slackware Gentoo LFS Always been with Debian Other ( 26 votes ~ 4 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Struggling to implement PCI compliance:
#3 Re: Struggling to implement PCI compliance Posted by Steve (80.68.xx.xx) on Fri 14 Mar 2008 at 11:51 You ask lots of good questions, and I'm sure you'll receive some useful comments here. With regards to CONFIG_NETFILTER I'm certain that will be enabled, so I'll ignore that. For getting a firewall to survive reboot we did have some previous discussion on the topic. Personally I create a shell script in the directory /etc/network/if-up.d/ - every executable file in that directory will be executed after the network interface(s) have been brought up. So I have a simple firewall there: #!/bin/sh # clear existing rules iptables --flush iptables --delete-chain # Set default policies for all three default chains iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Enable free use of loopback interfaces iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # now allowing incoming http, ssh, and stmp iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # and now outgoing: dns + smtp iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT Running this will setup rules, testing it is a matter of trying to connect remotely when you should/shouldn't be able to and seeing if it succeeds. (A tip: When working with a firewall for the first time add a cron-job to clear all your rules every 30 minutes - that way if you get locked out you're not lost! Regarding tripwire it is later than ideal, but if you're certain you're not already compromised you may add it. Pam configuration? We've talked about it before - honestly? I don't see what you need to mess with it for here. Steve
You ask lots of good questions, and I'm sure you'll receive some useful comments here.
With regards to CONFIG_NETFILTER I'm certain that will be enabled, so I'll ignore that. For getting a firewall to survive reboot we did have some previous discussion on the topic.
Personally I create a shell script in the directory /etc/network/if-up.d/ - every executable file in that directory will be executed after the network interface(s) have been brought up.
So I have a simple firewall there:
#!/bin/sh # clear existing rules iptables --flush iptables --delete-chain # Set default policies for all three default chains iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Enable free use of loopback interfaces iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # now allowing incoming http, ssh, and stmp iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # and now outgoing: dns + smtp iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
Running this will setup rules, testing it is a matter of trying to connect remotely when you should/shouldn't be able to and seeing if it succeeds. (A tip: When working with a firewall for the first time add a cron-job to clear all your rules every 30 minutes - that way if you get locked out you're not lost!
Regarding tripwire it is later than ideal, but if you're certain you're not already compromised you may add it.
Pam configuration? We've talked about it before - honestly? I don't see what you need to mess with it for here.
Steve
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
