[lug] Personal Server Behind DSL Router

Ken MacFerrin lists at macferrin.com
Thu Jan 11 23:36:34 MST 2007 

David L. Anselmi wrote:
> Ken MacFerrin wrote:
>>> I typically don't run iptables on a box like this because all the
>>> services it provides are public.  So there isn't anything for iptables
>>> to block (obviously there are some other useful things iptables can do).
>>
>> Why wouldn't you firewall each machine?  This provides an additional
>> layer of protection for your server in case another machine in your
>> internal network is compromised (ie: your visiting relative that wants
>> to use their spyware filled XP laptop at the house). Given the small
>> memory footprint and simplicity of setting up something like shorewall I
>> can't see why not to turn it on..
> 
> I was talking about public services.  If my public server offers only
> web and ssh, I can't filter those from the Internet.

Not entirely true..  A good set of rules should still be doing traffic
accounting, rate-limiting and filtering for rfc-1918, martians, bogons,
xmas tree packets, etc.  Outside of that, the logging can be invaluable.
 Getting logs showing traffic to ports that aren't supposed to be
publicly accessible are usually one of the first way to know someone's
getting past your border router.  NAT hacking isn't beyond the more
advanced script-kiddies these days.

> Seems unlikely I'd
> want to filter those from the internal network either.
> 
> Given a few servers internally, what do they run?  SSH.  CUPS.  Bacula.
>  I'd probably take my chances with those vs. spyware infested XP. Ditto
> apache.  NFS is a different story.  But locking down services to known
> machines can be a hassle for more than about one machine, unless you
> manage them centrally.

I'd agree for the most part assuming you're talking about your typical
family home setup.

> Of course if you don't pay attention to what services are running then
> blocking everything until you decide to allow it isn't a bad idea.
> 
> And also your guests should be using a DMZ, not your internal network.
> Especially if you give them WiFi.
> 
> But it's all a matter of tradeoffs.

Agreed.  I just like to think about it in layers and it always makes me
feel better to have at least one hard crunchy layer before getting to
the soft chewy center.

> FWIW, I didn't find shorewall very easy to use.  Somewhere it got hung
> up between its various files and didn't recognize the interfaces I had.
>  fwbuilder seemed much easier.

I haven't tried fwbuilder yet but it does look nice.  Especially the
multiplatform capabilities.  Shorewall took a little while to learn the
first time but it's been nice as a quick text based tool since I run
nearly all my servers headless.
-Ken

More information about the LUG mailing list