FireHOL (was Re: [clug] Bonjour/ZeroConf Advocacy)
Alex Satrapa
grail at goldweb.com.au
Sun Nov 16 22:10:14 GMT 2008
On 15/11/2008, at 01:55 , Ian wrote:
> For those of us who don't use 'client all accept' in our firewall (for
> one of a great variety of fun an entertaining reasons - in my case
> it's because I want my firewall to REJECT packets that would just get
> lost in a data accounting server anyway
Hrm... I think the reason I still use client all accept is simply that
I didn't want to go through every single service on my box and figure
out which ones *really* need to be able to send stuff out to the
Internet..
It's probably worth pointing out that FireHOL has a "helpme" facility
which will build a sample FireHOL configuration based on your
currently running services.
So you folks out there who don't have as basic a firewall as myself -
no excuses! Go grab FireHOL, run "firehol helpme > /etc/firehol/
firehol.conf" then load that firewall and start learning how to
configure it :)
As a hint, you'll need to add rules in to allow your machine to talk
to your ISPs SMTP relay (or MSA, in the current parlance):
interface any world
client smtp accept dst msa.my.isp.example.com
client pop3 accept dst pop3.my.isp.example.com
I think that should cover it.
Keep an eye on /var/log/kern.log (on Ubuntu at least) for messages
from the kernel's netfilter about blocked packets. If you get messages
about stuff being blocked that you don't want to see anymore (such as
SMB/CIFS network discovery), add rules like this;
server samba drop
server dhcp drop
Have fun :)
Alex
More information about the linux
mailing list