Configuring A Linux Router/firewall
Nov 10, 2008
I run a small datacenter, and we are migrating from Cisco to Linux based routers.
This routers should run a firewall, DDOS mitigation rules, CBQ bandwidth limitation, etc..
I know how to mitigate DDOS using tcpdump, also I know how to route..
I just need some advice about the firewall, stopping basic DDOS, fragmented packets, etc..
Should I use APF firewall in this case? Is there a good IPTABLES set of rules I could use?
I'm giving up from Ciscos, as I just discovered there are some UDP packets that can easily break them. I tested it last night, and that was it, nothing secure A few traffic (bogus UDP packets) and the router was down for a few minutes.
View 5 Replies
ADVERTISEMENT
Feb 22, 2008
I have seen these 2 OS that should work as router/firewall, but are they worth enything?
View 14 Replies
View Related
Oct 31, 2007
I am about to design my company network.
The network will be designed like : we have 3 providers of IP transit, one will be the main network while the two other will feed the first network and manage a highly available network, probably using protocols like BGP4 and OSPF.
The current size of each fiber is 45 Mbit/s per operator. So I am looking for :
A router :
- able to handle each provider with up to 200 MBit/s in/output
- able to support protocol such as BGP4 or OSPF
- able to output snmp for monitoring
- have a little intuitive GUI for basic operations and have a real routing OS (like IOS or JunOS)
- is branded and warrantly (a plus would be hardware extensible)
- not too big box, something between 1 and 6U
A firewall :
- able to handle ALL the traffic to all carrier
- able to work as a SPF (drop all, allow only what I want, very accurate rules)
- have a little intuitive GUI for basic operations
- not too big box, something between 1 and 6U
About brand, most probably about Cisco, Juniper, Extreme or some good brand.
Which model would you advice me as router and which as firewall ? The price is not the main proccupation until it will do job just fine, but I would prefer to don't buy too expensive also.
View 5 Replies
View Related
Jan 30, 2008
we had 2 Xen serverers in colohouse, each with 30 IPs yet.
Now we are going to purchase third server and started to think about renting small rack and putting own firewall infront of the servers.
Actual bandwidth is 5Mbits for both servers together.
We are thinking about to have something like this:
Colohouse-->Firewall<-->switch<--->Xen server(s)
With scenario we would like to add:
1) traffic monitoring per IP
2) traffic shapping per IP
3) firewalling whole segment of our public IPs
FW will get single IP and range of public IPs routed to that IP
4) be able to put one public IP for VPS on to any Xen server
What firewall and switch you will recommend for this scenario?
View 0 Replies
View Related
Mar 23, 2009
I'm running a Win2003 dedicated server with IIS and Plesk v9. While trying to configure my FTP ports I found out that my host has a basic (free) hardware firewall on my main/shared IP with ports 2000-2015 reserved for passive FTP connections. I asked them if they could change the ports to match the default ones but to customize hardware firewall settings I'm require to upgrade to a paid solution.
I again tried to approach the problem by trying to get IIS to conform to the host's ports. However after some research I found that the default MSFTP range is 1025-5000 while custom values have to be between 5001-65535. My host recommends I upgrade to a personal hardware firewall or make do with a software firewall. Other than dropping the firewall is there nothing I can do here?
I've thought of serving FTP on a dedicated IP (which would be exempted from the hardware firewall) but when I tried to set it up I got a directory permission error during connection attempts. I may be mistaken but this appears to be an an issue with Plesk not liking to serve a website's HTTP and FTP on separate IPs. Is solving this problem my best bet?
View 3 Replies
View Related
May 22, 2008
I would like to thank in advance to anyone who shares his knowledge or experience here.
I am trying to find a firewall with some routing capability. Since I expect to have Gbps transfer in the near future, I don't think I can find a solid commercial hardware firewall within my low budget. That's why I am looking at software products.
I would need firewall functions(ability to prevent DDoS attacks is desirable) and basic routing functions (dynamic routing and BGP is desirable but not necessary at the moment).
Stage 1 environment:
20Mbps from provider P;
100Mbps from provider C;
35 servers for budget dedicated, mainly web servers;
*I have a question in mind that, can I have my network setup that incoming from both provider P and C but outgoing through C only? Is static routing able to do that?
Expected stage 2 environment:
40 ~ 60Mbps from provider P;
100 ~ 200 Mbps from provider C;
70 ~150 servers, mainly web servers;
Currently I am looking at Vyatta, Untangle and Endian. Can someone give some comments on these software or any others that might be suitable for me?
View 14 Replies
View Related
May 13, 2008
I've been using dedicated hosting in places like the planet and rackspace for a long time now, but we're about to purchase a rack in a local data facility. This is my first time setting up a rack environment, so I have a bunch of questions.
They'll be giving me an ethernet drop into the cabinet. I have to take it from there. I'm thinking I needed a router/firewall. Am I right? Can those be a single device? Should they be? Which models would you recommend? (We're still a small operation, we don't usually push more than 1Mbps bandwidth).
View 9 Replies
View Related
May 3, 2008
I am in the process of gathering the peices to move from a dedicated box to my own hardware in a local colo and am undecided how best to choose the edge device.
The colo has a 30Mb pipe with about 10Mb of it being constantly used during biz hours. Another 10Mb is being allocated in the next couple of months. I want to be able to burst to the full 30Mb when needed.
I am getting 12 IP's allocated but will increase to 24 soon if all goes well (fingers crossed!).
I will have for starters just a single Proliant running dnp on 2008 with IIS, FTP, Mail, ns1 and a 2003 VM running my secondary ns.
What I am unsure of is the edge device and looking for others that have used either a 2800 series router or a ASA5500 series firewall in a similiar fashion. I know what the raw throughput of each device is, but raw benchmarks are not realworld numbers by any means.
I am looking at the 2801 with IOS Firewall turned on and hopefully even some inspects for FTP and HTTP traffic. The other option and one that I am less familiar with is to use the ASA5505 instead which will do my basic routing but supposedly provide more thourough inspects and advanced rules.
Does anyone have experiance with either of these in a hosting environment and have input on the realistic throughput one can expect from either device?
There is a signifigant cost difference with the ASA5505 being much cheaper but I am more familiar with IOS. Would anyone recommend a 1841 router instead?
View 6 Replies
View Related
Jun 29, 2008
i got one fully managed ip range from my isp around 256 ips to use on my networks. Basically i want to set up gateway, segment the 256 ips into two parts, each part with 128 ips. detail below
1, nameserver 123.123.123.2 and 123.123.123.3
3, first part gateway 123.123.123.4 and ip use from 123.123.123.5-123.123.123.128
4, second part gateway 123.123.123.129 and ip use from 123.123.123.130 - 123.123.123.255
what i am using?
centos 5.2 with vconfig installed
what i did?
1.i add the name server 123.123.123.2 and 123.123.123.3 to /etc/resolv.conf
2,i add the gateway 123.123.123.4 and 123.123.123.129 to /etc/sysconfig/network and added line" VLAN=yes"
3,i edited eth1 with following setting
#Realtek
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=123.123.123.1
GATEWAY=
NETMASK=255.255.255.0
TYPE=Ethernet
4, i added eth1.2
DEVICE=eth1.2
BOOTPROTO=none
ONBOOT=yes
IPADDR=123.123.123.5
GATEWAY=123.123.123.4
NETMASK=255.255.255.0
TYPE=Ethernet
Vlan=yes
5, i added eth1.3
DEVICE=eth1.3
BOOTPROTO=none
ONBOOT=yes
IPADDR=123.123.123.130
GATEWAY=123.123.123.129
NETMASK=255.255.255.0
TYPE=Ethernet
Vlan=yes
then i restart the network
however the configuation fails to work,
View 3 Replies
View Related
Nov 17, 2008
I'm thinking about adding a linux based router to my cabinet. I have 8 computers so I'm not looking for anything that's tricky. In fact some of this is just for my own education as to what routers can do.
The biggest feature that's important to me is ease of use. I want something that I can configure from a web based menu. So what linux based router software is the easiest to use and most educational?
Also - I dealing with about 30mb 95th percentile traffic. Peak is 100mb. Would a box that has and AMD dual core CPU with 8 gigs of ram be a good enough computer to run on?
View 12 Replies
View Related
Aug 10, 2008
I am setting up CentOS linux on a 1U server for colo, a CentOS basic install without graphic interface, just the compilers package and the basic stuff will be installed.
However, before I rack this server up I need to do some things to make it work. I already know that I have to disable IPtables (or clear the firewall rules).
Do you usually have a list of things to do before you colo a linux server? Please share, as I will have to go thru it.
View 3 Replies
View Related
Jul 6, 2013
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
11.5.30 Update #2, CentOS 6.4 (Final) x64
PROBLEM DESCRIPTION
Site isolation settings don’t have any effect.
STEPS TO REPRODUCE
Configure the following in site_isolation_settings.ini:
php = on
php_handler_type = fastcgi
Create a service plan without the permission for "Setup of potentially insecure web scripting options that override provider's policy". Create a customer with subscription and assign the service plan.
ACTUAL RESULT
The customer is able to switch between “CGI-Application”, FastCGI-Application and “Apache-Module”.
EXPECTED RESULT
Customer should not have the permissions to switch the "PHP support"...
View 3 Replies
View Related
Jan 2, 2008
I just leased a Godaddy linux dedicated server with a Cisco PIX 501 firewall. Control panel is Plesk 8. Preconfigured with Ferdora 7, mysql, php,etc.
I've tried to configure multiple domains but am having problems.
I currently have several websites each running on their own Godaddy shared hosting account. I'm am trying to migrate all of these websites onto the dedicated server.
My plan is as follows:
Configure the firewall
Configure the server (add IPs)
Configure the domains from within Plesk (add client, domains, dns). But DO NOT change the name servers on the domain. I need to test the websites first.
Copy the webpages, content from the shared hosting accounts to the server.
Test the websites on the server. I am hoping that I can access the websites on the server using ip addresses, since I figure I won't be able to use the domain names without first changing the name server entries on the domains.
Once testing is completed, change the name servers on the domains so they point to the server.
Please assume the following:
Dedicated Server IP: 72.169.55.183
Firewall IP: 72.169.55.184
domain 1 = mydomain1.com
domain 2 = mydomain2.com
domain 3 = mydomain3.com
What I have done:
Configured the firewall interface (outside = 72.169.55.184/24, inside = 10.0.0.254/24)
Configured the firewall IP translation rules (outside = 72.169.55.183, inside = 10.0.0.1)
Configured server (added 3 IPs - 10.0.0.1 [exclusive], 10.0.0.2 [exclusive], 10.0.0.3 [exclusive]). I figure I need a unique ip for each domain?
Created a client called MyDomains. All domains are created under this client.
Created domain mydomain1 (assigned ip 10.0.0.1 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184
Created domain mydomain2 (assigned ip 10.0.0.2 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184
Created domain mydomain3 (assigned ip 10.0.0.3 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184
I might be close, or I might be so far off that my inexperience shows.
Is the above correct? Do I need a unique "inside" ip address (10.0.0.1, 10.0.0.2, 10.0.0.3) for each domain/website? Do I need to add translation rules to the firewall for 10.0.0.2, 10.0.0.3?
How do I test each domain on the server without changing the name server entries on the domain? I have one firewall ip address 72.169.55.184 but 3 different domains. How can I test mydomain1.com, mydomain2.com, mydomain3.com?
If anyone can tell me if I have this correct, or what I have to do to get this correct I'd be immensly appreciative. Just as important is knowing how I can test each domain before I go live with it.
View 0 Replies
View Related
Aug 1, 2014
I have setup bind in centos 6.5 and then edited /etc/named.conf and added the lines
The extension produced but I am getting the following error when restarting the bind service
Error in named configuration:
/etc/named.conf:2: unknown option '...'
/etc/named.conf:14: unknown option '*'
/etc/named.conf:21: 'options' redefined near 'options'
The following code suggested by plesk slave dns manager extension
Code:
options {
...
allow-new-zones yes;
};
key "rndc-key-mainserver ip" {
[Code] .....
After I removed ... from the options now I get the following error :
/etc/named.conf:51: unknown key 'rndc-key'
View 1 Replies
View Related
Jul 10, 2008
I have 3 web servers that I need behind a firewall. Right now they're directly connected to the internet, and have little protection. I'd like to build my own Linux router and have done some research but not sure which is the best solution.
The main feature I need is the ability to forward ports based on the destination host header. Most firewall distros only allow you to forward port 80 to one IP address, but I need the router to send to different internal IPs for different sites.
I've looked at IPCOP and Smoothwall express and a few others, but the "free" ones don't seem to do this.
View 14 Replies
View Related
Feb 17, 2008
I am setting up a web hosting server in a datacenter.
Websites will be powered by Apache, MySQL and PHP.
I will be using CentOS 5 32 bit.
"APF Software Firewall for Linux" is offered as a free option by the datacenter.
Should I use it?
View 13 Replies
View Related
Dec 15, 2007
Hi,
can you please tell me how i can clear the firewall in my linux box?
It's CentOS but i'm not sure what type of firewall is installed on my box.
Hpe to get response soon,
toby
View 10 Replies
View Related
Apr 7, 2015
How to activate/enable the firewall by cli, does this is possible?
Firewall module is installed.
Option in plesk GUI working well.
Does this is possible ? If yes how ?
View 2 Replies
View Related
Aug 13, 2008
I run CentOS 5.2 (Sometimes CentOS 4.6). I have been messing around with IPTables, and cannot find out how to filter zero-length packets.
I believe I might need an unclean module. I have already done hours of reading and researching, but I have come up with nothing, for I do not think this is that common.
If anyone could please let me know the commands to use to filter out all zero-length packets, or the unclean module I need to use with IPTables, I would really appreciate it.
View 14 Replies
View Related
Jan 15, 2015
Is that possible to block baidu without specifying whole list of IDs it's using ?
View 1 Replies
View Related
Dec 17, 2014
I have these problems since version 11.5. Now I have installed version 12 on centos . FTP works fine and is super fast and speedy until i enable PLEK FIREWALL, I also tried to add passive port range 60000-65534 to Plesk Firewall rules.
But nothing works.
It takes like 10 times longer to Login + List Files + Make changes using FTP. We applying changes via FTp and its very slow. We can use plesk file manager but its very inconvenient way for quick file uploads and changes.
View 1 Replies
View Related
Nov 26, 2013
I already posted this as a bug report and now wanted to inform other users.
Starting with Plesk 11.5, the file "/opt/psa/var/modules/firewall/firewall-emergency.sh" contains the following line:
Code:
rm -f /opt/psa/var/modules/firewall/active.flag
That line stems from updating
Code:
Preparing to replace psa-firewall 11.0.9-debian6.0.build110120608.16 (using .../psa-firewall_11.5.30-debian6.0.build115130819.13_amd64.deb) ...
Unpacking replacement psa-firewall ...
Now, when you stop the firewall, you cannot start it again, cause deleting the active.flag disables the firewall:
Code:
# ll /opt/psa/var/modules/firewall/active.flag
-rw-r--r-- 1 root root 0 2013-11-26 09:22 /opt/psa/var/modules/firewall/active.flag
# /etc/init.d/psa-firewall stop
psa-firewall: firewall successfully disabled
# ll /opt/psa/var/modules/firewall/active.flag
ls: cannot access /opt/psa/var/modules/firewall/active.flag: No such file or directory
# /etc/init.d/psa-firewall start
psa-firewall: service is disabled
You then have to manually "touch" the active.flag to be able to start the firewall again. A workaround is to remove the line:
Code:
sed -i 's:rm -f /opt/psa/var/modules/firewall/active.flag::' /opt/psa/var/modules/firewall/firewall-emergency.sh'
I really hope that Parallels fixes this asap, as normally you won't notice that the firewall is not active when every works fine (nothing is blocked) and Plesk still shows all the rules.
View 14 Replies
View Related
May 26, 2015
I currently have the Web Application Firewall (ModSecurity) installed but would like a visual interface to block IP's, subnets etc.. Can I install the Plesk firewall as well without any conflict with the Web Application Firewall?
View 3 Replies
View Related
Sep 14, 2014
I have a brand new and fresh installed server with:
Parallels Plesk v12.0.18
openSUSE 13.1
My Problem is, every day i have to click on activate in the settings of the firewall. Otherwise i have no Mail. The rest (Hosting, etc.) works fine.
No changes in the firewall settings where made, just a migration from my old server.
View 6 Replies
View Related
May 15, 2014
Plesk Firewall has no effect on IPv6?
I am writing today regarding the Plesk Firewall. It seemed to be pretty handy for quickly blocking troublesome users from *replace-with-whatever-IP-block-is-giving-you-trouble*. Yet I am unable to block IPv6 addresses, and the fire wall seems to let some blocked IPv4s right in. I did not see any distinction as to v4 or v6 in the Firewall dialog for adding custom rules, so...
The question is...
(1) Is the Plesk Firewall *supposed* to apply rules to IPv6 by default?
If yes...
(2) Is there a setting or a switch that has to be configured for this to work?
If yes...
(3) Where are said configuration options located?
Okay, when I run /sbin/ip6tables -L (CentOS) I get output that resembles the iptables (no 6) output, only... what, converted to IP6? Not sure. Example output:
DROP tcp ::ffff:31.0.0.0/104 ::/0 tcp dpts:1:10000
In that particular instance I added a drop for the 31.0.0.0/8 block (using the Plesk Firewall interface), in order to create the script that's loaded into iptables (and ip6tables as well, apparently) when one elects to "Apply Configuration". It worked great, executed perfectly, and the iptables output list output looked to be (and remember, I have grossly insufficient background knowledge in this area) accurate.
Yet at the time of this writing I can see via live traffic monitor that an address in the 31.0.0.0/8 block (IPv4) is pounding away at a website. This is curious, as the live traffic monitor indicates an IPv4 address. So... can an IPv4 address be detected and recorded from a host that is only able to connect via IPv6? While an interesting question, I was more concerned with just blocking the IPv6 address and get more academic with it later.
But this raises another question; why would Plesk populate ip6tables and not provide an interface to actually submit IPv6 addresses.
View 1 Replies
View Related
Aug 23, 2014
When I modify rules using the firewall panel it is not generating rules correctly when selecting allow from selected sources deny from others.
View 2 Replies
View Related
Oct 25, 2014
Running plesk 12.018 on OpenSUSE 13.1
What causes the firewall to change / reset itself periodically? I enabled the plesk firewall, but some time later it is reset itself and switched to the opensuse firewall (completely different rule set, which blocks most of the ports).
I then disabled the plesk firewall and loaded my own iptables rule set via iptables-restore command. However a few hours later, it also gets reset to the opensuse firewall. The std. opensuse firewall closes most of the ports, so then our email is blocked.
I would like to permanently switch off any plesk handling of the firewall and manage the iptables myself. How to do this?
I also have fail2ban running and defined my own jail.local files.
View 3 Replies
View Related
Nov 9, 2014
Applying Plesk firewall changes? I make my change, apply and get to:
Status: Applying in progress. If your browser shows connection error messages, or if this screen does not disappear in more than 30 seconds, go to previous page.
And there things stay. Going back to look at the firewall I can see the change haven't been applied, and going to apply just results in the same. No error, just no anything. It also took numerous attempts to get firewall modification to be swtich on although finally at about the eighth attempt changes were enabled. Only now I can't apply them ...
View 5 Replies
View Related
Jun 26, 2014
After upgrading to Plesk 12 the FTP connection has become very slow. Mode Security, Fail2Ban and Plesk Firewall have been enabled, the security is set to force sFTP and maximum security and in /etc/proftpd.d/ a conf file has been added to set the passive ports that have been opened in the Plesk Firewall (60000 to 62000)
Turning off the Mod Security does not solve the slow connection.
What can we do to detect the cause of the problem?
View 3 Replies
View Related
Oct 3, 2014
Plesk 12.x
CentOS 6.5
Any method for copying the Firewall (extension) rules from one server to another.
View 2 Replies
View Related
Oct 24, 2014
I have enabled modsecurity system and in 1 day the modsec_audit.log file has grown to more than 700Mb. Is there any way to reduce the number of messages that this module logs?
View 4 Replies
View Related