My ipfilter rules.

[Arnoud]

Shaun,

I do have some (minor) additions:
- letting in webmin from an external interface on your firewall doesnot seem
like a good idea to me. webmin is not that secure... normaly I only allow
this to the loopbackinterface and tunnel it in SSH for security
- letting out everything is not the smartest thing to do, if one of your
services gets compromised you'll never notice outgoing trafic. normaly I
only allow out everything I know the server needs, anything else is either
blocked or logged.

Well it all depends on how secure you want to make things. Basicaly the
script looks prety good.


Arnoud


In order to be a good netizen, I applied the bogon list to my outbound
traffic, too. I also moved the bad packet checks to the head of the
incoming rules, as they make more sense there - no point in letting them
use any more cpu than needed, if they are junk.

At least 35 people have looked at my rules
(http://www.ste-land.com/rules.html). I've updated the page, so be sure
to hit refresh/reload, if you go to look at it again. So far, two people
have responded. I took the suggestions of one. Anyone else? I'm putting
the server on the Internet tonight, and would like the firewall done by
then.

Two questions:

1) Should I be performing the bad packet checks on the outbound path, too?

2) I looked at using groups to keep outbound packets from traversing
rules for inbound packets, and vice versa, but I still don't understand
them well enough to set them up. Suggestions?

	-ste