[ale] iptables
Ken Ratliff
forsaken at targaryen.us
Fri Jan 16 18:09:21 EST 2009
On Jan 16, 2009, at 5:31 PM, Jim Popovitch wrote:
> On Fri, Jan 16, 2009 at 17:19, Paul Cartwright <ale at pcartwright.com>
> wrote:
>> I looked up fail2ban, looks like it isn't ready for stable yet..
>
> f2b is used on a lot of production sites/firewalls/etc. It utilizes
> iptables, but is not a replacement for a proper installation of
> iptables.
Yeah, I regard it mostly as a way to cut down on log file size. If
some kind is running a script against my ssh port, f2b will pick it up
and cut out some of the noise.
> FWIW, your experiences with iptables is some linux distro dirty
> laundry. No single distro seems to do firewalling well. I guess the
> problem is that firewalls are different things to different people.
We do the majority of our firewalling at work with iptables because
each of our customers has different needs, and it's impractical to try
and centralize the firewall rules and make all of them happy. So we
store everything in a mysql database, and the servers run a refresh
script every 15 minutes. That lets us add blocks to our global ban
list and protect all servers at once when necessary, as well as apply
individual rules to individual servers (some customers want ftp locked
down to only a certain set of IP's, for example).
My personal preference for firewalling is OpenBSD. pf is just killer,
and I trust OpenBSD as a public-facing box more than any other.
With that being said, I do all the firewalling for my personal network
on my router via cisco's firewall ios feature set, just because it's
most convenient for me right now. Eventually I'll get around to
putting an openbsd box between the router and the switch and just let
the router pass traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20090116/4c527a56/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20090116/4c527a56/attachment.bin
More information about the Ale
mailing list