RFC - sysadmin guidelines
Frank Chiulli
frankc.fedora at gmail.com
Sat Jan 17 05:13:40 UTC 2009
On Thu, Jan 15, 2009 at 9:25 PM, Frank Chiulli <frankc.fedora at gmail.com> wrote:
> On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
>> On Sun, 11 Jan 2009, Mike McGrath wrote:
>>
>>> This isn't really required but it's my intention to implement these
>>> policies (or what we come to after some discussion). This is targeted
>>> _ONLY_ at this team and those with shell access to our servers. Its not
>>> my intention to roll it out to the larger community, though its certainly
>>> a good idea for people to read through it.
>>>
>>> http://mmcgrath.fedorapeople.org/policy/
>>>
>
> Mike,
> Take a look at Section 1.2. Host Network Security. There is a
> duplicate setting.
> The 4th setting is:
> net.ipv4.conf.all.accept_redirects = 0
>
> This setting is duplicated in the 14th setting.
>
> I'm guessing that the 4th setting should be removed.
>
> Frank
>
Mike,
First let me say that the examples are a great addition to the page.
I was looking at the iptables sample configuration and had some
questions. I compared your suggested configuration to my current
configuration (Fedora 10). With the exception of the lines with
'--tcp-flags' in your sample configuration, they're pretty close. I
don't have those yet. The first three lines that start with '-A' in
your sample are the same as mine except the order is different. Does
the order make a difference?
Here are the lines from my file:
-A INPUT -m state --state ESTABLISHED,RELATED -j accept
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
Here are yours:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
Thanks,
Frank
More information about the infrastructure
mailing list