I just install the community edition on my x86 which has 2 NICs.
The default setup is done, all the updates are done as well.
The incoming firewall webconfig is enabled by default. Does , it mean I should be ok or I need to harden more?
Secondly, I have setup up a VLAN and would like to create a firewall rule so VLAN does not have any LAN access except access to the internet.
Any help or a link on how to would be appreciated.
The default setup is done, all the updates are done as well.
The incoming firewall webconfig is enabled by default. Does , it mean I should be ok or I need to harden more?
Secondly, I have setup up a VLAN and would like to create a firewall rule so VLAN does not have any LAN access except access to the internet.
Any help or a link on how to would be appreciated.
Share this post:
Responses (7)
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
Of course you can. The firewall is working out of the box.
I think there has been a misunderstanding. The ClearOS firewall is completely open to it LAN and generally closed to traffic originating from the WAN (so it allows replies from the Internet e.g when browsing you favourite website). It also allows all traffic out from the LAN to the internet. If you close the firewall to SSH through the webconfig you are only affecting the WAN side. If you choose to open the firewall to SSH (so to the internet), make sure you have a strong root password as you will very quickly get a lot of password cracking attempts. The is just normal these days for anything exposed to the internet.
The reason I recommend OpenVPN to access the server from the internet is because you can close the SSH port and access the server as if you are connected to the LAN.
SSH can be secured more, e.g using SSH keys. There is a KB article about securing SSH more. -
Accepted Answer
Of course you can. The firewall is working out of the box.
I think there has been a misunderstanding. The ClearOS firewall is completely open to it LAN and generally closed to traffic originating from the WAN (so it allows replies from the Internet e.g when browsing you favourite website). It also allows all traffic out from the LAN to the internet. If you close the firewall to SSH through the webconfig you are only affecting the WAN side. If you choose to open the firewall to SSH (so to the internet), make sure you have a strong root password as you will very quickly get a lot of password cracking attempts. The is just normal these days for anything exposed to the internet.
The reason I recommend OpenVPN to access the server from the internet is because you can close the SSH port and access the server as if you are connected to the LAN.
SSH can be secured more, e.g using SSH keys. There is a KB article about securing SSH more. -
Accepted Answer
-
Accepted Answer
OpenVPN is available from an app in the marketplace. The SSH server is installed and enabled by default. Each app has its own documentation (the sloping book icon on the top right of each webconfig screen) and we also have a Knowledge Base. -
Accepted Answer
-
Accepted Answer
Personally, before putting the macine into production I would close both Webconfig and SSH and only allow external access by OpenVPN (or perhaps a second SSH daemon only allowing SSH key access).
If you have a single VLAN like this, just change it to a HotLAN. If you have multiple HotLAN's the firewall is buggy but it can be got round.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »