Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 10. Networking -FirewallNext

10.2. The topology

All servers should be configured to block at least the unused ports, even if there are not a firewall server. This is required for more security. Imagine someone gains access to your firewall gateway server: if your neighborhoods servers are not configured to block unused ports, this is a serious network risk. The same is true for local connections; unauthorized employees can gain access from the inside to your other servers in this manner.

In our configuration we will give you three different examples that can help you to configure your firewall rules depending on the type of the server you want to protect and the placement of these servers on your network architecture.

The first example firewall rules file will be for a Web Server.
The second for a Mail Server.
The last for a Gateway Server that acts as proxy for the inside Wins, Workstations and Servers machines.

See the graph below to get an idea:

Firewall schematic representaion

The graph above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book

www.openna.com Caching Only DNS 208.164.186.3 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Caching and Client Server on port 53 allowed

  4. SSH Server on port 22 allowed

  5. HTTP Server on port 80 allowed

  6. HTTPS Server on port 443 allowed

  7. SMTP Client on port 25 allowed

  8. FTP Server on ports 20, 21 allowed

  9. Outgoing traceroute request allowed

deep.openna.com Master DNS Server 208.164.186.1 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Server and Client on port 53 allowed

  4. SSH Server and Client on port 22 allowed

  5. HTTP Server and Client on port 80 allowed

  6. HTTPS Server and Client on port 443 allowed

  7. WWW-CACHE Client on port 8080 allowed

  8. External POP Client on port 110 allowed

  9. External NNTP NEWS Client on port 119 allowed

  10. SMTP Server and Client on port 25 allowed

  11. IMAP Server on port 143 allowed

  12. IRC Client on port 6667 allowed

  13. ICQ Client on port 4000 allowed

  14. FTP Client on port 20, 21 allowed

  15. RealAudio / QuickTime Client allowed

  16. Outgoing traceroute request allowed

mail.openna.com Slave DNS Server 208.164.186.2 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Server and Client on port 53 allowed

  4. SSH Server on port 22 allowed

  5. SMTP Server and Client on port 25 allowed

  6. IMAP Server on port 143 allowed

  7. Outgoing traceroute request allowed

The list above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book. Depending on what services must be available in the server for the outside, you must configure your firewall script file to allow the traffic on the specified ports.

  • www.openna.com is our Web Server,

  • mail.openna.com is our Mail Hub Server for all the internal network,

  • deep.openna.com is our Gateway Server

for all the examples explained later in this chapter.

PrevHomeNext
Policy, Guidelines etc.UpBuild a kernel with IPCHAINS Firewall support
  
 
  Published under the terms of the Open Publication License Design by Interspire