Firewall needed?

[DennisCitus]

I am restricted SSH-access now to my own ip, so nobody else can use SSH unless he logs in at localhost. (In the datacenter)

Is there still any good in installing a firewall? Is there still any good in disabling non-used ssh-users? Is there still any good in only accepting sshv2?

 

[skruf]

Hey,

Any layer of additional security you can add is good. The more layers, the better off you are...

Yes, you should use ssh2 and disable/not allow ssh1.

Of course, these are my opinions.

David

 

[nobaloney]

There's a lot more to a firewall besides ssh blocking.

The days when you could safely run a server on the 'net without a firewall are long since past.

Look at the threads here for the KISS firewall for iptables.

It's easy to set up, and it's a good start.

Jeff

 

[DennisCitus]

Well, I beleive it only blocks certain ports and you can make it block ip's?

What can a software firewall do more?

 

[nobaloney]

Well, I beleive it only blocks certain ports and you can make it block ip's?

I don't know what you mean by "it".

Do you mean iptables? Do you mean KISS?

Do you mean something else?

iptables is an immensely powerful firewall in and of itself; see the website here .

What can a software firewall do more?

Here are some of the things it can do, quoted from their website:

Main Features
* stateless packet filtering (IPv4 and IPv6)
* stateful packet filtering (IPv4)
* all kinds of network address and port translation (NAT/NAPT)
* flexible and extensible infrastructure
* multiple layers of API's for 3rd party extensions
* large number of plugins/modules kept in 'patch-o-matic' repository

What can I do with netfilter/iptables?
* build internet firewalls based on stateless and stateful packet filtering
* use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
* use NAT to implement transparent proxies
* aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
* do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header

See the article "The Hidden Treasures of iptables", from Linux Journal magazine, April 2004, Page 24, available online here .

KISS is a rather simple interface to iptables, which is generally powerful enough for most webhosters.

Jeff