[Firehol-support] Re: servere's firewall

Daniel Pittman daniel at rimspace.net
Fri Apr 29 23:36:53 BST 2005

On 30 Apr 2005, Grigory Fateyev wrote:
> I need to write very security firewall for hosting server. Write
> frirehol.conf for it. What I must do for improving protection? Please,
> give me advice.


> blacklist full

You *must* add a comment here, explaining to anyone else who looks at it
*why* you blacklist that address.  Otherwise, pain will ensue.[1]

> mac xx.xx.xx.0/24 my MAC-address
> server_ips = "xxx.xxx.xxx.64/28"
> trust_ips = "xx.xx.xx.0/24"
> trust_dns = ""
> interface eth0 internet src "${server_ips}"
> protection strong 10/sec 10

This looks *much* too low for a hosting site.  Ten connections a second
is, like, two web pages a second.[2]  You probably want something closer
to "100/sec 200" or even higher.

Also, *monitor* this in deployment to make sure it really does what you
want, and that your clients don't suffer as a result.

> server ident reject with tcp-reset
> server dns      accept
> server ftp      accept

Offering this will result in password guessing attacks on the server.
Make sure you have decent rate and load limiting on the FTP server.

(Yes, this isn't really a firewall issue, but close enough. ;)

> server http     accept
> server https    accept

> server pop3     accept
> server imap     accept

Offering these two encourages your clients to give away their passwords.
Turn them off, and require the use of SSL to connect to the POP and IMAP

> server pop3s    accept
> server imaps    accept

If, like many hosting companies, you don't actually *want* to offer
server side email storage, turn off IMAP.  Most clients don't care, and
it certainly adds little over POP in most similar services. 

> server ssh      accept src "${trust_ips}"
> #       server icmp     accept

You probably should turn that back on.  There is a lot of benefit in
being able to tell that the server is, in fact, running, even if you are
at home at the time. :)

> client all      accept

That last line is a *huge* mistake.  Rewrite it is 'client "dns ssh ..."
accept', so you don't just allow everything.  Really.


[1]  If you don't think anyone else ever will, consider your desire to
     (eventually) take a holiday. :)

[2]  Most browsers fetch more than one image, and do it pretty fast...

It is difficult to produce a television documentary that is both incisive and
probing when every twelve minutes one is interrupted by twelve dancing rabbits
singing about toilet paper.
        -- Rod Serling

More information about the Firehol-support mailing list