Linux Home Server HOWTO - Open For Review
miles at brennan.id.au
Sun Jan 9 06:46:18 UTC 2005
Christopher K. Johnson wrote:
> In the SSH section - I highly recommend disabling protocol 1, making
> the sshd_config line:
> Protocol 2
I agree. Although it is rare that this might be exploited I think its
best to be safe.
I was considering key authentication, possibly next revision as you suggest.
> Back to the current document.
> In the NFS section - an nfs3 configuration for which access can be
> restricted by firewall rules can be achieved easily.
Thanks for the NFS firewalling info its great information, although I
would probably consider this more of an advanced user topic. I'll see
how we go.
> By the way I believe in a stateful firewall the inquiries initiated by
> ntpd do not need firewall rules to permit their response. It is only
> when broadcasts are listened for that a firewall hole is needed to
> listen for them. So when using specific ntp servers and you have a
> rule such as your:
> iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j
> ...then ntpd should work fine. It appears that the insertion of
> iptables rules in the ntpd start script is no longer done in FC3. If
> memory serves - those specifically targeted the RH-Firewall-1-INPUT
> table anyhow, and you are not using that table.
You are correct with both the FC3 initscripts and the firewall rules,
I've flagged the NTP comment box for possible deletion in coming
revisions, I'll leave it just for the time being as a precautionary
(this chapter is distro generic info, so it may still affect some users).
> Lastly I would include a small section below Packet Forwarding within
> Firewall Concepts to introduce the use of sysctl.conf control of ecn
> and tcp window scaling since these can cause problems with some
> routers, firewalls, etc. So knowing how to turn them off is useful
The sysctl probably wouldn't hurt new users, I'll keep the info handy
and see what I can do with it (have to make it simple).
Thanks for the feedback.
I have made some minor adjustments to the document and flagged other
sections for future review based on your suggestions.
Thanks for your time.
More information about the users