IT Security is not a simple area. You need more than knowing how to configure a firewall rule. Indeed, in my opinion, you must have a depth knowledge of the network stack (TCP and ISO), details about the involved protocols (IP headers, HTTP headers, LDAP authentication just to mention some) and configuration details of the operative system, the involved software (knowing MariaDB options if you are doing database security) and any other theoretical concept about your environment. And this is only for the technical part.
If you want to go further, you should understand security concepts such as risk, vulnerability, exposure, control and others.
At this point, you can have a clear vision about what is the best doing in your strategy. With all this said, I will talk about a classic error when taking calls about implementing security controls.
First, I must say for me a proxy is not considered a firewall. Some authors state that a proxy can be considered a layer 7 firewall. In this article, a firewall could be a Netscreen device, a Checkpoint or an IPTables in Linux. A proxy is something like Squid or even better a mod_security for Apache. The big difference is the layer where they operate. Firewalls work on layer 2, 3 and 4; the maximum control you can have by controlling the port. Some firewalls, like IPTables, try to work around this with the string module, where you can put some criteria based on the payload, but again, they don't understand the protocol, it is just a dummy machine hitting a blind condition. Proxies, on the other hand, they operate on layer 7; they fully understand the protocol. Squid is an excellent example. Squid can understand the HTTP protocol and you can create rules based on HTTP elements such as authenticated user, the path of the files, POST payload, cookies and many other things.
As I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configuration you will need to do is the SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/tcp, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.
Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.
For some quite time, I have been visiting Packt to get a new eBook each day. Books are related to IT in the cookbook way. You can download them as PDF, ePub or Mobi format. I always download the ePub format and upload it into Google Books.