should i trust lokkit to do a good job?

resonator · 01-14-2007, 06:19 PM

im a noob

Ive just got my Fedora server to act as a gateway for my XP laptop by using lokkit. It works fine but im not sure if its secure or not.

Can someone please tell me if there is some glaring hole or im just paranoid and should marvel the extreme holiness of the linux box.

On the linux box eth0(dhcp) is to my adsl, eth1(192.168.0.1) is to the xp laptop(192.168.0.2)

During lokkit i chose to trust and masquerade eth1 for the gateway

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT

any help would be much appreciated.
cheers

Capt_Caveman · 01-15-2007, 10:23 PM

Frankly it's better than no firewall, but it certainly could be more secure in my opinion.

A better way to start out is to tell us what services/ports do you need? Do they need to be accessible to the firewall box, LAN, or both? What do you need ports 50 and 51 for? A VPN? What about the CUPS/IPP port (631)? Is there a printer attached directly to the firewall box? Is it acting as a print server?

BTW, welcome to Linuxquestions.