APF Firewall Settings

system · December 5, 2005, 5:18pm

Firewall Settings Question. I searched the forums and could not find a comprehensive list of best settings (although some posts mentioned one or two). I am balancing performance and security on a VPS box with 256K RAM. Other sites list best APF settings for other control panels (cPanel, Plesk, etc) but none I could find for Interworx. Here is where I am now, can I close more ports safely? Can changing the settings increase performance? You input is respected (yea, I sound like tech support don’t I?).

Default Type of Service: [?] Max Throughput
TCP Drop Policy: [?] Drop
UDP Drop Policy: [?] Drop
Block Multicasting: [?] On
Block Private Networks: [?] Off
Max Sessions: [?] 450
Sysctl TCP: [?] On

Port Access [?]
Service Port TCPIn TCPOut UDPIn UDP Out

         ftp-data       20            X       X        O       O       
         ftp                21          O       X        O       O
         ssh               22           O       O       X        X
         smtp             25            O       O       X        X
         domain         53            X       X        O       O       
         http              80           O       O       X        X
         pop3            110           O       O       X        X
         ntp             123           X        X       O       O       
         imap            143            O       X       X        X
         https            443           O       O       X        X
         rsync            873           X       X       O       O
         imaps          993            O       X       X        X
         pop3s          995           O       O       X        X
         iworx-cp      2080           O       O       X        X
         iworx-cp-ssl 2443          O       O       X        X        
         mysql          3306           X       X       X        X        
         Virtuozzo     4643           O       O       X        X

X is Closed / O is open

I dont have a static IP so I cannot close SSH (my ISP reqs I pay three times as much per month for a static IP). I would like to find a work around though If anyone knows one.

Van

PS: I have been using Interworx now for 3 weeks and I have to say I have been quite impressed. Cpanel had gotten quite bloated, and confusing for new users. I hope to be an Interworx guy for a long time.

IWorx-Chris · December 6, 2005, 11:51am

The default port open/close config is “optimial for most general users” so the product comes in a “best general case” config setup. I’ll let socheat chime in on the other settings to let you know what’s best but I believe there the defaults are “best general case” as well.

Chris

IWorx-Socheat · December 6, 2005, 12:09pm

Chris is correct, these are the best general settings. We added a few ports to the conf.apf config file, but left many of the other default settings as is.

Here is one FAQ regarding Default TOS. It may be useful in deciding what’s best for your system:
http://www.faqs.org/docs/linux_network/x-087-2-firewall.tos.manipulation.html

Additionally, the default UDP policy is DROP, which causes some traceroutes to “fail” (traceroutes from Linux clients). If this is what you want, then you can leave this as DROP. If you want to be able to traceroute to your box, you’ll want to set the UDP policy to REJECT.