On Thu, Jan 15, 2009 at 9:25 PM, Frank Chiulli <frankc.fedora(a)gmail.com> wrote:
On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath
<mmcgrath(a)redhat.com> wrote:
> On Sun, 11 Jan 2009, Mike McGrath wrote:
>
>> This isn't really required but it's my intention to implement these
>> policies (or what we come to after some discussion). This is targeted
>> _ONLY_ at this team and those with shell access to our servers. Its not
>> my intention to roll it out to the larger community, though its certainly
>> a good idea for people to read through it.
>>
>>
http://mmcgrath.fedorapeople.org/policy/
>>
Mike,
Take a look at Section 1.2. Host Network Security. There is a
duplicate setting.
The 4th setting is:
net.ipv4.conf.all.accept_redirects = 0
This setting is duplicated in the 14th setting.
I'm guessing that the 4th setting should be removed.
Frank
Mike,
First let me say that the examples are a great addition to the page.
I was looking at the iptables sample configuration and had some
questions. I compared your suggested configuration to my current
configuration (Fedora 10). With the exception of the lines with
'--tcp-flags' in your sample configuration, they're pretty close. I
don't have those yet. The first three lines that start with '-A' in
your sample are the same as mine except the order is different. Does
the order make a difference?
Here are the lines from my file:
-A INPUT -m state --state ESTABLISHED,RELATED -j accept
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
Here are yours:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
Thanks,
Frank