[afnog] https through NAT

Frank Habicht geier at geier.ne.tz
Thu Oct 11 07:23:33 UTC 2012


Hi Abel,

On 10/11/2012 9:42 AM, Stephane Bortzmeyer wrote:
> On Wed, Oct 10, 2012 at 04:18:27PM +0000,
>  abel ELITCHA <kmw.elitcha at gmail.com> wrote 
>  a message of 101 lines which said:
> 
>> i've only authorized tcp port 443 by the past
> 
> It should be sufficient for HTTPS. Like Scott Weeks, I suggest that
> you investigate deeper.

I would suggest you allow all the things you know you need to allow.
Including everything necessary for other devices protected by (behind this)
firewall.
Including all the services necessary for this server: icmp, tcp:80, tcp:443
tcp/udp:53 going to its DNS resolvers .... etc

then log anything else that's still happening.
and then depending on your policy, either block or allow the unknown traffic.

and then look at the logs, you will very soon see what else is happening.
look at both directions: from outside to your server and from your server
to outside.

And then find out for the traffic you see, whether it's useful traffic
(then allow it before the logging rule) or useless or bad traffic - then
block it before the logging rule.
This way your logs should reduce soon.
And then you look at the logs again....
and when "unknown" traffic is reduced very much, you should definitely
block all that.

But hey, I'm not a firewall guy....

Frank




More information about the afnog mailing list