On Mon, 2003-01-13 at 20:15, Mike wrote: > I talked with my ISP and they will route me a /30 for my firewall and a /28 > for the DMZ segment. The DMZ will be hosting a webfarm does anyone have a > list of things I should to the box besides filtering rules? like how I can > stop directed broadcasts etc... You may want to install a package called "systune" - it's very useful for this kind of tuning. Alternatively, you could prepend or append your firewall script with these settings. Check out Oscar Andreasson's sysctl tutorial for all the relevant info on network /proc settings. http://ipsysctl-tutorial.frozentux.net/ Some things that spring to mind: echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done echo 0 > /proc/sys/net/ipv4/tcp_timestamps > I am going to accept Established and New > connections in the forward chain going to the webservers and drop invalid. > Is that ok for webservers or should I also accept related? Im only going to > open up port 80 to the webservers and drop everything else. > For port 80/http traffic, "RELATED" doesn't really have any meaning, except that ICMP error messages can also be related to a TCP or UDP traffic flow, things like ICMP "fragmentation needed" messages. So you may actually want to allow RELATED traffic too. Regards, Filip
