[ale] iptables

Ken Ratliff forsaken at targaryen.us
Fri Jan 16 18:09:21 EST 2009


On Jan 16, 2009, at 5:31 PM, Jim Popovitch wrote:

> On Fri, Jan 16, 2009 at 17:19, Paul Cartwright <ale at pcartwright.com>  
> wrote:
>> I looked up fail2ban, looks like it isn't ready for stable yet..
>
> f2b is used on a lot of production sites/firewalls/etc.  It utilizes
> iptables, but is not a replacement for a proper installation of
> iptables.

Yeah, I regard it mostly as a way to cut down on log file size. If  
some kind is running a script against my ssh port, f2b will pick it up  
and cut out some of the noise.

> FWIW, your experiences with iptables is some linux distro dirty
> laundry.  No single distro seems to do firewalling well.  I guess the
> problem is that firewalls are different things to different people.

We do the majority of our firewalling at work with iptables because  
each of our customers has different needs, and it's impractical to try  
and centralize the firewall rules and make all of them happy. So we  
store everything in a mysql database, and the servers run a refresh  
script every 15 minutes. That lets us add blocks to our global ban  
list and protect all servers at once when necessary, as well as apply  
individual rules to individual servers (some customers want ftp locked  
down to only a certain set of IP's, for example).

My personal preference for firewalling is OpenBSD. pf is just killer,  
and I trust OpenBSD as a public-facing box more than any other.

With that being said, I do all the firewalling for my personal network  
on my router via cisco's  firewall ios feature set, just because it's  
most convenient for me right now. Eventually I'll get around to  
putting an openbsd box between the router and the switch and just let  
the router pass traffic.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090116/4c527a56/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090116/4c527a56/attachment.bin 


More information about the Ale mailing list