output rules suggestions please
Fri Jul 25 08:47:48 CEST 2003
Craig Reeson wrote:
> I've been doing some experimentation and have realised that if my firewall
> system becomes compromised then output rules could come in rather handy.
I hope this has not happend.
> Could I ask ppl to post their output rules or their suggestions.
If your firewall is compromised there is little you can do. What you
want is for your firewall to be totally shielded off. Do not run any
services exposed to the internet on the firewall, and only allow ssh to
the firewall from thrusted machines behind the firewall itself.
All machines with public services should be placed in a DMZ. The DMZ
should be carefully shilded, allowing as little traffic as possible
(port and ip wise) to go in/out on the internet. For example, a
mailserver should only be able to contact internet hosts on port 25, and
should only be accessable on port 25. Also I recommend having a DNS in
the DMZ which all machines in the DMZ uses. It you a paranoid then put a
firewall on each machine in the DMZ too.
When designing your network/firewall then always think of what will
happen if one of your mashines is compromised and how you can limit the
Hope it helps.
> Craig Reeson RHCE
> Senior Engineer
> Bluechip Infotech
> Ph. (02) 8745 8465
> Mob. 0413 018602
More information about the fiaif