[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Basic IPTables rules for RaQ550

Subject: Re: [cobalt-security] Basic IPTables rules for RaQ550
From: Eric Frisch <ericf@xxxxxxxxxxx>
Date: 17 Mar 2003 09:43:40 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 2003-03-17 at 09:04, Michelle A. Hoyle wrote:
> >From: Eric Frisch <ericf@xxxxxxxxxxx>
> >Date: 03 Mar 2003 09:10:32 -0500
> >
> >Why not use gShield, default policy is to drop everything except maybe
> >ident.  You just enable the services you need using a very well
> >documented set of configuration files.  You can add the odd custom rule
> >yourself as well.  The only place I have had trouble is the default
> >policy is to log the drop events for hosts you place in the blacklist,
> >dropping hundreds of packets a second from a rogue site will overwhelm
> >the Raq with logging activity.  You can do an sh -x on the gShield rc
> >file to see all the rules generated if you want to sanity check the
> >thing.
> >
> 
> Thanks for pointing me to that, Eric.  I was able to get gShield 
> configured and running without too many problems (without locking 
> myself out, even.  (-: )
> 
> The only question I have now (and possibly more suited for Cobalt 
> Users, but this is where we started) is that I'm getting a notice 
> hourly from the cron daemon complaining that the log_traffic script 
> can't find the tables it uses for its accounting.  I had a look at 
> the script and I know that's because the gShield script is 
> overwriting those rules.  How did you cope with this or did you just 
> remove the hourly cronjob?
> 

I haven't looked at this or noticed it because I am running gShield on a
somewhat kludged system.  My machine is really a Raq4r with a 2.4 kernel
stuffed into it.  I had to do this because of some stability/DOS related
issues, the machine with the 2.2 kernel was constantly hanging.  I have
another Raq4r running in test with a 550 software load on it and may go
that way for all the systems because the entire software base is much
newer.

Without analyzing what log_traffic really does, it is hard to tell what
impact there is to disabling the cron job.  If it just populates a GUI
screen it may not be all that important.  But then again I extensively
monitor the health of all my systems with Big Brother and centralize all
my logging so I don't go near the GUIs on the Raqs for long periods of
time.  Maybe the original rules could be added in at the end using the
separate file that gShield reads as it's final task.  I assume the
original rules would probably show up in one of the rc files.

Sorry I can't be of more help here

Eric

References:
- Re: [cobalt-security] Basic IPTables rules for RaQ550
  - From: Michelle A. Hoyle

Prev by Date: Re: [cobalt-security] Basic IPTables rules for RaQ550
Next by Date: Re: [cobalt-security] in.qpopper Illegal seek/EOF
Previous by thread: Re: [cobalt-security] Basic IPTables rules for RaQ550
Next by thread: Re: [cobalt-security] Basic IPTables rules for RaQ550

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index