hi

ive just got a LeaseWeb seedbox, running Debian Linux.

ive configured X, Gnome, VNC, Java, and Azureus, and everything is working great - the speeds are out of this world.

the only remaining thing i think i need to do is install a firewall but im not sure how to do this.

i have installed Firestarter but not actually started the firewall because i am worried that as soon as i start the firewall, it will block my ssh and/or vnc connection to the server, effectively blocking my access to the seedbox.

so, can anyone offer advice on how to firewall a seedbox, remotely, please?

thanks

Is a firewall really needed on linux? Here's an article about it:
http://www.pcworld.com/article/id,126240-page,1/article.html

iptables already block all unwanted connections I believe. On my server, I just change the default port for ssh & ftp to prevent the bots.

iptables, by default, doesnt block anything.

heres my iptables (on debian)

OAA001:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


everything is set to "ACCEPT"

heres my iptables on my ubuntu system, with the settings configured with firestarter firewall:

oscar@lappy:~$ sudo iptables -L
[sudo] password for oscar:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- 192.168.1.1 anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP 0 -- anywhere 255.255.255.255
DROP 0 -- anywhere 255.255.255.255
DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- anywhere 0.0.0.0
DROP 0 -- anywhere anywhere state INVALID
LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
INBOUND 0 -- anywhere anywhere
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target prot opt source destination
AACCEPT tcp -- 192.168.1.4 192.168.1.1 tcp dpt:domain
ACCEPT udp -- 192.168.1.4 192.168.1.1 udp dpt:domain
ACCEPT 0 -- anywhere anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP 0 -- 255.255.255.255 anywhere
DROP 0 -- anywhere 0.0.0.0
DROP 0 -- anywhere anywhere state INVALID
OUTBOUND 0 -- anywhere anywhere
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Output'

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:20000
ACCEPT udp -- anywhere anywhere udp dpt:20000
LSI 0 -- anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER 0 -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP 0 -- anywhere anywhere

Chain LSO (0 references)
target prot opt source destination
LOG_FILTER 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere

You're right, iptables by default doesn't filter anything. I'm just talking out of my ass... I guess what I really meant was all connections to your server will be drop except to the open ports. A seedbox has only one purpose, so I don't think it needs the security of a firewall, which is really the role of a router for a private network. I think just keeping the softwares updated and monitoring your network services is enough.

The server is sitting in a datacenter, they really wouldn't be much of a provider if the datacenter wasn't protected by a hardware firewall/routing system now would they ? there is no need to firewall the server.

The server is sitting in a datacenter, they really wouldn't be much of a provider if the datacenter wasn't protected by a hardware firewall/routing system now would they ? there is no need to firewall the server.

wow! so servers based in datacentres never get hacked??!! LOL you're having a laugh.

before i installed the firewall all the ports were open, now ive installed the firewall, all the ports are closed.

There has to be a reason to hack the server in the first place, a seedbox isn't exactly the holy grail for a hacker, although the ports are open the very fact of what the server does makes it less of a target.

on linux boxes I use these:
http://rfxnetworks.com/apf.php

in the config you will see the "dev mode"... that flush iptables 5mins after the restart... so you can mess it with no worries ;)

and if you are running ftp and ssh on the standard ports... you will find BFD very useful too when mixed with APF ;)
http://rfxnetworks.com/bfd.php