[tclug-list] Trying to set up a simple firewall

Thu Apr 8 06:59:30 CDT 2010

1) Usually, its wiser and more secure to silently drop packets to avoid 
opening yourself to certain reflective attacks.  However, it really 
depends on your case.  If you're on your own private network, and behind 
a router, its perfectly safe to REJECT packets and then use the router's 
firewall to DROP packets coming in on those ports from the world.

2) As long as you don't have software running on one of those ports that 
could be exploited.  I would recommend running a nmap scan on your 
localhost to see if there are any programs you may not realize using 
ports above 10000. nmap by default doesn't look at the full port range, 
so you'll need to specify "-p1-65535" as one of the arguments.

3) That's a little difficult.  Do they have dynamic DNS set up for 
themselves?  That's the only way I can think you could set that up.

On 4/8/2010 4:39 AM, Andrew Berg wrote:
> On 4/7/2010 7:26 PM, Adam Morris wrote:
>> I would recommend taking a look at Shorewall
>> <http://www.shorewall.net/>.  I can't stand dealing with IPTables myself
>> but Shorewall simplifies the process.  Its still not as easy as some of
>> the GUI tools such as Firestarter, but once you read through the
>> tutorials and the getting started guides then you should be able to
>> perform most things pretty easily.
> It took a while to figure out the roles that each config file
> (rules/interfaces/policy/shorewall.conf) plays, but once I had that
> down, it wasn't too difficult to set things up, so thanks!
> Three questions:
> Is there any reason not to use REJECT instead of DROP? Timing out could
> be indicative of other problems, whereas if the client acts as though
> the host is unreachable, I know I'm being locked out by the firewall.
> Is it safe to have all ports above 10000 open to the public in order to
> allow the server to act as a seedbox as long as transmission-daemon is
> the only service listening on those ports?
> How should I handle trusted users who have dynamic IPs without allowing
> everyone who uses the same ISP as they do?
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list