Summary


FTP and NFS both demonstrate much more complicated firewall rule policies and module requirements due to their complex protocols. Fortunately they are very well understood and firewall-friendly protocols. Other methods of file sharing, such as bittorrent, or other protocols, such as Voice over IP H.323, can be considerably more difficult or limited in their ability to work in NAT environments.

Assuming that your problem isn't covered so far here, fall back on the methodology. For that matter, whenever you're making complex firewall changes such as supporting NFS, you probably want to follow through on this methodology anyway. It's a scary protocol in terms of security!

  • Define the Problem: What is happening, and whom is it affecting? Is this affecting inbound or outbound traffic or every user or just a subset?

  • Gather FactsDid anything change? Are other systems on the internal network available that might indicate that this is a broader network outage? Don't forget to take a look with your sniffer!

  • Define the End State: What is the goalrestoring file sharing through FTP for example? What components of your network does this affect, and what will/are they supposed to do?

  • Develop Possible Solutions and Create an Action Plan: You've determined that you need to place your FTP server in a safer location, such as a DMZ network to provide access to internal and external users.

  • Analyze and Compare Possible Solutions: What do you need, how long will it take to implement your plan, and will it solve the problem in the most efficient way? How long will it take you to create a DMZ or reuse an existing one? Will it expose other users or systems to risk?

  • Select and Implement Solution: Make your plan and implement your solution.

  • Critically Analyze Solution for Effectiveness: Did the system work? Test your firewall rules to verify that you haven't created other security risks and check with the users to make sure that they can access the system from where they need to.

We hope that you've finished this chapter understanding how to compile more complex, multi-port firewall rulesets and configuring your kernel to handle these more complex connection tracking issues before moving on to more sophisticated protocols. And don't forget to test your rules for security vulnerabilities! (See Chapter 10, "Testing Your Firewall Rules [for Security!])



    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net