[BlueOnyx:01049] Re: Iptables
Stephanie Sullivan
ses at aviaweb.com
Fri Apr 10 22:05:46 -05 2009
Greg,
Absolutely correct. Sorry to be harsh (in re-reading my response) before.
It is my opinion that defense in depth (more than one layer of protection -
or sometimes called belt-and-suspenders). The point I was not making so well
is to block as far out as you can. Iptables is further out than dfix - but
does not replace it. Like AV scanning on the web server for email does not
replace AV scanning on the client machine.
I think someone mentioned running a dedicated firewall between one's servers
and the internet at large. That is a good idea too.
For me the tradeoff is effectiveness of the effort versus how it affects my
operations (overhead, complexity, upset clients, etc) versus cost of failure
versus the chance/frequency of failure.
But a good point well made.
Thanks,
-Stephanie
> -----Original Message-----
> From: Greg Kuhnert [mailto:greg.kuhnert at theanchoragesylvania.com]
> Sent: Friday, April 10, 2009 6:21 PM
> To: Stephanie Sullivan
> Cc: 'BlueOnyx General Mailing List'
> Subject: Re: [BlueOnyx:01040] Re: Iptables
>
> OK. Point taken. I was assuming that since Richard did not know about
> why it was blocked that he probably didn't create the rules :)
>
> But on the topic of blocking attacks... there are some attacks that
> DFix
> blocks that cannot be blocked by IPTables recent modules. For
> example,
> some of the RFI checks.
>
> Regards,
> Greg.
>
> --
> +--------------------------------------------------------------------
> -+
> | / \ Greg Kuhnert, gkuhnert at compassnetworks.com.au
> |
> | < o > Compass Networks - Pointing you in the right direction
> |
> | \ / Check out our website for NuOnce module support.
> |
> +--------------------------------------------------------------------
> -+
>
>
> Stephanie Sullivan wrote:
> >> iptables itself does not block anything.
> >>
> > Huh? If one does not setup any rules I guess that's true.
> >
> > If you have setup rules iptables can do quite a lot - including
> blocking
> > brute force attacks pretty effectively!
> >
> > Thanks,
> > -Stephanie
> >
> >
> >> -----Original Message-----
> >> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> >> bounces at blueonyx.it] On Behalf Of Greg Kuhnert
> >> Sent: Friday, April 10, 2009 10:44 AM
> >> To: BlueOnyx General Mailing List
> >> Subject: [BlueOnyx:01037] Re: Iptables
> >>
> >> Hi Richard...
> >>
> >> iptables itself does not block anything. Did you get any alerts
> from
> >> other apps in your inbox? DenyHosts and dfix both alert you of any
> >> actions taken. The log file will help you to pinpoint the cause of
> >> the
> >> dynamic firewall rules.
> >>
> >> Regards,
> >> Greg.
> >>
> >> --
> >> +-----------------------------------------------------------------
> ---
> >> -+
> >> | / \ Greg Kuhnert, gkuhnert at compassnetworks.com.au
> >> |
> >> | < o > Compass Networks - Pointing you in the right direction
> >> |
> >> | \ / Check out our website for NuOnce module support.
> >> |
> >> +-----------------------------------------------------------------
> ---
> >> -+
> >>
> >>
> >>
> >>
> >>
> >> Richard Sidlin wrote:
> >>
> >>> I have (another) little issue. One of the servers on my Lan has
> >>>
> >> been
> >>
> >>> listed in the iptables and is blocking it. If I remove it and do
> >>> service iptables save and restart, it is OK again for about 30
> >>>
> >> seconds
> >>
> >>> and then gets blocked again.
> >>>
> >>> is there a way to say put exceptions in so that cerain IP's don't
> >>>
> >> get
> >>
> >>> blocked at all.
> >>>
> >>> Thanks
> >>> -----------------------------------------------------------------
> --
> >>>
> >> -----
> >>
> >>> _______________________________________________
> >>> Blueonyx mailing list
> >>> Blueonyx at blueonyx.it
> >>> http://www.blueonyx.it/mailman/listinfo/blueonyx
> >>>
> >>>
> >> _______________________________________________
> >> Blueonyx mailing list
> >> Blueonyx at blueonyx.it
> >> http://www.blueonyx.it/mailman/listinfo/blueonyx
> >>
> >
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at blueonyx.it
> > http://www.blueonyx.it/mailman/listinfo/blueonyx
> >
More information about the Blueonyx
mailing list