On Thu, Jan 15, 2009 at 9:25 PM, Frank Chiulli <frankc.fedora@xxxxxxxxx> wrote: > On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: >> On Sun, 11 Jan 2009, Mike McGrath wrote: >> >>> This isn't really required but it's my intention to implement these >>> policies (or what we come to after some discussion). This is targeted >>> _ONLY_ at this team and those with shell access to our servers. Its not >>> my intention to roll it out to the larger community, though its certainly >>> a good idea for people to read through it. >>> >>> http://mmcgrath.fedorapeople.org/policy/ >>> > > Mike, > Take a look at Section 1.2. Host Network Security. There is a > duplicate setting. > The 4th setting is: > net.ipv4.conf.all.accept_redirects = 0 > > This setting is duplicated in the 14th setting. > > I'm guessing that the 4th setting should be removed. > > Frank > Mike, First let me say that the examples are a great addition to the page. I was looking at the iptables sample configuration and had some questions. I compared your suggested configuration to my current configuration (Fedora 10). With the exception of the lines with '--tcp-flags' in your sample configuration, they're pretty close. I don't have those yet. The first three lines that start with '-A' in your sample are the same as mine except the order is different. Does the order make a difference? Here are the lines from my file: -A INPUT -m state --state ESTABLISHED,RELATED -j accept -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT Here are yours: -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT Thanks, Frank _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
