[geeks] Fedora question regarding firewalls in general...

Michael C. Vergallen mvergall at telenet.be
Sun Mar 28 18:07:32 CDT 2010


Dan Duncan wrote:
> Just be aware that if they compromise the DMZ machine they will do one
> or more of the following:

> 1)  Use it to stage further attacks on other people (which may get YOU
> in trouble)
>
> 2)  Use it to stage further attacks on YOUR network
>
> 3)  Sift through your data for anything interesting (including browser
> cache and network mounts)
>
> 4)  Delete/wreck your stuff  (Consider having any nfs or smb mounts
> read-only on the DMZ machine)
>
> If they manage to compromise one of your other systems they will
> repeat the above list.  With that in mind, the firewall isn't a bad
> idea everywhere.  Only open it up as much as you really need it.  You
> should be able to adjust the firewall to allow anything you need.  NFS
> users portmapper to choose ports but in Fedora you can adjust
> /etc/sysconfig/nfs to pre-determine what those ports are and set your
> firewall accordingly.
>
>   

True however isn't that what tripwire is for ...warning you if someone 
has compromised the DMZ ?
if that happens you flip the  switch on that machine and reinstall from 
the image created and
plug the holes that where on the system and recreate the image. Also on 
the DMZ their are no samba mounts  ( I  don't do  samba or use nfs )
cause they can be detremental on the system's performance. I rsync the 
stuff I need to work on to my workstation from the server and each hour 
the server sync's my work  back  to it's disk  all via ssh connections. 
I also track security issues and fix them when they come up. that is why 
I only have prebuilt binaries on the workstation's the rest is built 
from scratch. I'm even considering building the whole workstation system 
from scratch. But at the moment I don't have enough time to do that. 
However due to my increased frustrations with Linux distributions I just 
might start to do that.
I tried Debian & Ubuntu both are kind of okey but they are  slow at 
updating stuff I need namely audio & video stuff, Gentoo is also okey 
but has to many problems with those apps, Now I'm testing Fedora at the 
moment ...and don't like some of the stuff they try to force poeple to 
adhere to... like the stuff they make one do to build a kernel, I'll 
probably try slackware next see if that is more to my likeing ...I've 
seen that it can be made to function with NetBSD pkgsrc. my problem is 
that I require virtualbox for connecting to my bank via a windows app.( 
I hate that but then again one has to accomodate poeple who don't know 
better.) also  the BSD's are a non option, and Solaris could do it if I 
could get Cinelara ( the most important app to me), audacity, something 
resembling dvdrip and devede to function properly on it then it would be 
an option...  I know that their is a distribution that has those apps 
built on a linux kernel available  but that is a commercial 
product....and is quite costly...so no that is not an option as most 
audiovisual editing stuff I do is for friends, family  and Non Profit 
Organisations so I can't ask them for money to purchase a license to a 
comercial product. So if anyone knows of a free distro that has all I 
need that I might not have info on please let me know.

Michael



More information about the geeks mailing list