On Tue, Jun 17, 2003 at 01:08:00AM +0200, Dominik Thüriedl wrote:
kann/Sollte/MÜSSTE eine firewall installiert werden oder bietet der apache genügend sicherheit?
Auf meinem Rootserver bei 1&1 habe ich iptables in Betrieb genommen. Dazu verwende ich das beigefügte Script, das ich in /etc/init.d/kkfirewall installiert habe. Das Script lädt ein Shellscript /etc/kkfirewall/kettenhemdhuehner.de.fw, das ich mit fwbuilder erzeugt habe (http://www.fwbuilder.de). Anders als SuSEFirewall2 ist die mit fwbuilder generierte Firewall frei konfigurierbar, die Rules sind leichter zu lesen und zu warten und man kann beliebige Sonderwünsche realisieren. Während SuSEFirewall2 also für ein vorgegebenes Standardssetup daheim besser geeignet ist, ist fwbuilder für Leute, die sich auskennen und die besondere Anforderungen haben, das Werkzeug der Wahl. Außerdem will man sich noch iptstate runterladen und installieren, egal ob man SuSEFirewall2 oder fwbuilder verwendet, damit man die State-Tabelle der Firewall im Betrieb "top"-artig beobachten kann. Die Firewall-Rules, die ich verwende, sehen so aus: http://vvv.koehntopp.de/fwbuilder1.png http://vvv.koehntopp.de/fwbuilder2.png Kristian #! /bin/sh # # System startup script for kkfirewall # ### BEGIN INIT INFO # Provides: kkfirewall # Required-Start: $remote_fs $syslog $network # Required-Stop: $remote_fs $syslog $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Start kkfirewall ### END INIT INFO FWCONFIG=/etc/kkfirewall/kettenhemdhuehner.de.fw FWLOG=/var/log/firewall # Source SuSE config (if still necessary, most info has been moved) test -r /etc/rc.config && . /etc/rc.config test -f $FWCONFIG || exit 6 # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. case "$1" in start) echo -n "Starting kkfirewall" echo "`date`: Starting firewall." >> $FWLOG sh $FWCONFIG >> $FWLOG 2>&1 # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down kkfirewall" echo "`date`: Stopping firewall." >> $FWLOG iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F # Remember status and be verbose rc_status -v ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; status) echo -n "Checking for service kkfirewall: " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. iptables -n -L rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac rc_exit