I am now at my first "real" job administrating a network. (Just for a month, part of my education actually.)
I shall put up a server for FTP & LDAP running RedHat 7.2.
This server is placed inside the school-net, Internet access is controlled via the county's fw, proxy and whatever. (=Not my problem.)
I shall secure this server against hosts on the same network, 3 subnets (students, teachers, admin.) OS mainly WIndows (95,ME,2000) some Mac's and a few RH.There are several ways to do this - close ports manually, use iptables, use RH's firewalling, use some of the fw-admin programs installed.
I believe the best is to use one tool only, or somebody might get very confused later on.
I know how to use them, but which do you think is the best? (This is probably like asking which is best - emacs or vi - but let's hear your opinion!)

I would close ports manually by disableing any services you don't want/need. Then I would make an iptables firewall. You'll have to leave port 21 and whatever ldap is open, but you could filter them by ipaddress. Say you want only the students using the FTP, then filter out the subnets for teachers and admins.

RH uses ipchains by default, but if you rename the /etc/init.d/ipchains script to something else, then it will try to use iptables... so basically, all 3 of what you suggested should be applied.

That's just my opinion though

I'm afraid I wasn't very precise .. Sorry :o
Question is: I'll omly be here four weeks, the administrators here are not used to Linux & has told me to make a good configuration that's easy for them to check/reconfigure.
They are by no means illiterate, after all they administer a rather complex network. I believe they won't have a problem administering any Linux configuration - but they are just not used to it. And they prefer graphical tools.
So they tell me: make it safe & easy. And I want them to be very happy with Linux + my work.
On the other hand, it's not difficult to set up:
No anonymous or guest access, only real accounts.
3 subnet's allowed, 2 (teacher + admin) are considered good guys only. An account each with normal access restrictions is all that's required.
Then there is subnet 10.0.61.0/23. The students.
They are not bad people - but they are teenagers.. And there are 1200 of them.
But it's still just this subnet that makes us need a firewall on this server.
Since its not very complex, maybe the easiest to use even for these Window-contaminated admin's still is iptables?
And another question: if I during installation choose "high security" then exactly what is done? I haven't been able to find the security configuration files?
Is this a good way to start, or is it better to use low/no security and configure everything myself, not to mix things up?
So basically the question is: what's best to use - not for me, but to keep Windows-admins happy?

This won't help you configure it, but is a useful tool to verify the security you have configured:
http://www.nessus.org

Nessus will verify that you have closed all unnecessary ports, that you don't have unneeded/unused user profiles, etc. The nessus server can run on Linux (I think Windows, too, but I installed mine on my Linux PC) and there is a GUI client that runs on Windows (there may be a Linux client, too; I haven't checked). Best of all it's free. It's very easy to install, configure and use (hey, I'm a newbie, and I got it to work on my home network! :) )

[ 18 May 2002: Message edited by: AK_Dude ]