From: Filip Sneppe <filip.sneppe@cronos.be>
To: Mike <mikeeo@msn.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: different DMZs which is better?
Date: 14 Jan 2003 13:26:00 +0100 [thread overview]
Message-ID: <1042547161.464.17.camel@xbox> (raw)
In-Reply-To: <001201c2bb38$25e45980$1e01a8c0@win2k.com>
On Mon, 2003-01-13 at 20:15, Mike wrote:
> I talked with my ISP and they will route me a /30 for my firewall and a /28
> for the DMZ segment. The DMZ will be hosting a webfarm does anyone have a
> list of things I should to the box besides filtering rules? like how I can
> stop directed broadcasts etc...
You may want to install a package called "systune" - it's very
useful for this kind of tuning. Alternatively, you could prepend
or append your firewall script with these settings.
Check out Oscar Andreasson's sysctl tutorial for all the
relevant info on network /proc settings.
http://ipsysctl-tutorial.frozentux.net/
Some things that spring to mind:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> I am going to accept Established and New
> connections in the forward chain going to the webservers and drop invalid.
> Is that ok for webservers or should I also accept related? Im only going to
> open up port 80 to the webservers and drop everything else.
>
For port 80/http traffic, "RELATED" doesn't really have any meaning,
except that ICMP error messages can also be related to a TCP or UDP
traffic flow, things like ICMP "fragmentation needed" messages.
So you may actually want to allow RELATED traffic too.
Regards,
Filip
prev parent reply other threads:[~2003-01-14 12:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-13 14:28 different DMZs which is better? Mike
2003-01-13 14:59 ` Cedric Blancher
2003-01-13 16:05 ` Filip Sneppe
2003-01-13 16:14 ` Filip Sneppe
2003-01-14 0:10 ` Joel Newkirk
2003-01-13 19:15 ` Mike
2003-01-13 20:28 ` Athan
2003-01-14 12:26 ` Filip Sneppe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1042547161.464.17.camel@xbox \
--to=filip.sneppe@cronos.be \
--cc=mikeeo@msn.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.