amuck-landowner

Your dumbest firewall rule

NodeBytes

Dedi Addict
Soooo... we all have that one firewall rule that just makes things work but is insanely stupid/insecure. What's yours?
 

MannDude

Just a dude
vpsBoard Founder
Moderator
Whats a firewall?

I see server security like I see locking a car. I don't want someone to bust out my window just to steal the change in the cup holders. So I just leave it unlocked...

Haha, I kid I kid.
 

Slownode

New Member
80 to 8080


443 to 8090


22 drop


Something to 22


Every server of mine.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.
 

Shados

Professional Snake Miner
I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.
Maybe try ferm? It's pretty cool from what I've seen.
 

raindog308

vpsBoard Premium Member
Moderator
I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.
When I ran a cpanel server, I found ConfigServer Firewall to be super-awesome.  Every few hours I got an email stating "detected brute force from X.X.X.X/CN, blocked".  It analyzed failed logins, brute-forces, too many apache connections, etc. and inserted an iptables rule.

There are other packages that do this as well - fail2ban - but CSF was nice because it plugged into cpanel.

I find the utility of firewalls increases with the number of users.  If it's a VPS and I'm the only user - probably not much value because I'm running a few services on oddball ports and I'm not likely to start up any others.  Then again, apt-get the wrong Debian package and you can find yourself serving samba to the Internet, so...
 

DalComp

New Member
This kind of "hardware" firewall, I am sure my servers are secure.

ZETW654.jpg
 
Last edited by a moderator:
Blocking ICMP completely is one the more silly ones I used to do, until I realize PMTU and others require working ICMP. 
 

wlanboy

Content Contributer
Soooo... we all have that one firewall rule that just makes things work but is insanely stupid/insecure. What's yours?
  1. Apply all rules
  2. Test them
  3. Check that nothing is working
  4. Check everything & redeploy
  5. Test them again
  6. Check that nothing is working again
  7. Flip the table for fun
  8. Realize that you used "venet0" as device name on your sole KVM vps...
 
Top
amuck-landowner