Before messing with iptables, set a little script to undo whatever you did after 5 minutes when you mess with it so you can test out the changes, that way if you *do* lock yourself out, you know 1) not to use those settings 2) how to get back in<br>
<br><div class="gmail_quote">On Feb 6, 2008 11:15 AM, Teodorski, Chris <<a href="mailto:teodorski@ppg.com">teodorski@ppg.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>I would LOVE to hear a pf tutorial. I *kinda* know Iptables, at least enough to lock myself out of my own server, but I know nothing of pf.<br><br>Chris<br><br>Sorry for the top post -- kinda of hard to correct once it has been top posted.<br>
<div><div></div><div class="Wj3C7c"><br>-----Original Message-----<br>From: wplug-bounces+teodorski=<a href="mailto:ppg.com@wplug.org">ppg.com@wplug.org</a> [mailto:<a href="mailto:wplug-bounces+teodorski=ppg.com@wplug.org">wplug-bounces+teodorski=ppg.com@wplug.org</a>] On Behalf Of Michael Semcheski<br>
Sent: Wednesday, February 06, 2008 10:42 AM<br>To: General user list<br>Subject: Re: [wplug] pf and openbsd<br><br>Just in case we don't get a pf tutorial at an upcoming GUM, but your<br>interest in pf and OpenBSD is piqued, check out:<br>
<br><a href="http://www.openbsd.org/faq/pf/index.html" target="_blank">http://www.openbsd.org/faq/pf/index.html</a><br><br>pf is a fantastic firewall. I don't know if you can do everything in<br>iptables that you can with pf. e.g., authpf. authpf alllows you to<br>
add special firewall rules for people who have authenticated. For<br>example, you could set things up to only allow connections to a<br>certain port if the user is already connected via ssh.<br><br><br><br>On Feb 6, 2008 9:13 AM, Duncan Hutty <<a href="mailto:dhutty+wplug@ece.cmu.edu">dhutty+wplug@ece.cmu.edu</a>> wrote:<br>
> Brian A. Seklecki wrote:<br>> > Move fast. Time of of the essence. Put an OpenBSD box in front of it<br>> > running pf(4) and pray that no one ever reads your SMTP headers.<br>> ><br>> > ~BAS<br>
> ><br>> Bad Lava. I don't think he was looking for BSD evangelism.<br>><br>> You know that it's perfectly possible to run nice safe linux boxen as routers for this situation. You should also be aware that there are plenty of large organisations including local .edu installations that have linux machines on publicly routable addresses without firewalls or NAT without getting compromised all the time.<br>
><br>> The OP should realise the risks (which it appears that he does) and<br>> assess whether he has the skills/knowledge/time (or the inclination to<br>> learn them) in order to mitigate those risks down to what he considers<br>
> to be acceptable levels for this situation. This is the fundamental<br>> question in security. And well you know it.<br>><br>> If, on the other hand, you want to suggest that OpenBSD/pf would be a<br>> better solution for this situation. I'm sure wplug would be interested<br>
> in a presentation complete with analysis and howto:)<br>> --<br>> Duncan Hutty<br>><br>> _______________________________________________<br>> wplug mailing list<br>> <a href="mailto:wplug@wplug.org">wplug@wplug.org</a><br>
> <a href="http://www.wplug.org/mailman/listinfo/wplug" target="_blank">http://www.wplug.org/mailman/listinfo/wplug</a><br>><br><br></div></div><font color="#888888">[Teodorski, Chris]<br></font><div><div></div><div class="Wj3C7c">
<br><br><br><br>_______________________________________________<br>wplug mailing list<br><a href="mailto:wplug@wplug.org">wplug@wplug.org</a><br><a href="http://www.wplug.org/mailman/listinfo/wplug" target="_blank">http://www.wplug.org/mailman/listinfo/wplug</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Mackenzie Morgan<br>Linux User #432169<br>ACM Member #3445683<br><a href="http://ubuntulinuxtipstricks.blogspot.com">http://ubuntulinuxtipstricks.blogspot.com</a> <-my blog of Ubuntu stuff<br>
apt-get moo