Re: [gentoo-user] Is this firewall safe?

[Eric Martin <freak4uxxx@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3143 bytes --]

Marco wrote:
> Hi all,
>
> I set up my first firewall on my notebook (not running any services
> reachable from outside) using iptables. Since I am new to the topic,
> could you please verify if the output of 'iptables -L -v' is
> considered to be a safe firewall? Thanks!
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  lo     any     anywhere
> anywhere
>     0     0 ACCEPT     all  --  eth0   any     anywhere
> anywhere            state RELATED,ESTABLISHED
>     0     0 REJECT     tcp  --  eth0   any     anywhere
> anywhere            reject-with tcp-reset
>     0     0 REJECT     udp  --  eth0   any     anywhere
> anywhere            reject-with icmp-port-unreachable
>     0     0 DROP       udp  --  eth0   any     anywhere
> anywhere            udp spt:bootps
>     0     0 LOG        all  --  eth0   any     anywhere
> anywhere            LOG level warning prefix `INPUT   '
>     1    79 ACCEPT     all  --  wlan0  any     anywhere
> anywhere            state RELATED,ESTABLISHED
>     0     0 REJECT     tcp  --  wlan0  any     anywhere
> anywhere            reject-with tcp-reset
>     0     0 REJECT     udp  --  wlan0  any     anywhere
> anywhere            reject-with icmp-port-unreachable
>     0     0 DROP       udp  --  wlan0  any     anywhere
> anywhere            udp spt:bootps
>     0     0 LOG        all  --  wlan0  any     anywhere
> anywhere            LOG level warning prefix `INPUT   '
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `FORWARD '
>     0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `FORWARD '
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  any    lo      anywhere
> anywhere
>     0     0 LOG        all  --  any    eth0    anywhere
> anywhere            LOG level warning prefix `OUTPUT  '
>     1    52 LOG        all  --  any    wlan0   anywhere
> anywhere            LOG level warning prefix `OUTPUT  '
>
>   
It all depends on what you're trying to do.  My internet facing boxes
have a default OUTPUT policy of DROP and I only allow certain traffic
off of the box (helps protect me from unauthorized services).  Also,
you're dropping bootps (same ports as dhcp) on udp so I don't think you
can get a dhcp address like that.  If you're running any services you
won't be able to talk to them (ssh).  Turn off forwarding in the kernel
config (via /etc/sysctl.conf) as well.

It also took me a few runs to figure out the firewall config (due to the
rules and formatting).  The last two output rules can be combined into
one.  Have 1 log line at the bottom of your tables and that will take
care of that.  Clean and short configs will help immensely when things
don't work.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]