From: Chris Frederick <cdf123@cdf123.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Is this firewall safe?
Date: Fri, 24 Apr 2009 12:00:07 -0500 [thread overview]
Message-ID: <49F1F017.10302@cdf123.net> (raw)
In-Reply-To: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com>
Marco wrote:
> Hi all,
>
> I set up my first firewall on my notebook (not running any services
> reachable from outside) using iptables. Since I am new to the topic,
> could you please verify if the output of 'iptables -L -v' is
> considered to be a safe firewall? Thanks!
>
Hi Marco,
Your firewall looks good, but I would change a few things.
First off, change your FORWARD chain to DROP. Unless you are doing
routing on your laptop, there's no reason to have it.
I would also get rid of the REJECT targets. It's better to DROP
instead. If someone is scanning the network, and you start sending icmp
rejections back, they will know you are there and may try other
techniques to break through your defenses, but if you DROP and send
nothing back, it will be much harder for them to see you at all.
I would also re-write your INPUT chain to be a bit less verbose.
Something like this:
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- lo any anywhere anywhere
ACCEPT all -- any any anywhere anywhere state
RELATED,ESTABLISHED
LOG all -- any any anywhere anywhere LOG level warning
prefix `INPUT '
Everything else looks good from a security standpoint. From a
performance standpoint, you might want to add a line to the beginning of
your output chain like this:
Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
target prot opt in out source destination
ACCEPT all -- any lo anywhere anywhere
ACCEPT all -- any any anywhere anywhere state
RELATED,ESTABLISHED
LOG all -- any any anywhere anywhere LOG level warning
prefix `OUTPUT '
This will log only NEW packets. Otherwise you could end up with a lot
of log output.
After you run this for a while, go back and look through your logs and
see if you have enough data there to change your OUTPUT chain to DROP,
and only allow packets through to ports you actually use. That's only
if you're really paranoid though.
Hope that helps.
Chris
next prev parent reply other threads:[~2009-04-24 17:01 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-24 15:28 [gentoo-user] Is this firewall safe? Marco
2009-04-24 16:59 ` Eric Martin
2009-04-24 17:53 ` Marco
2009-04-27 19:35 ` Eric Martin
2009-04-24 17:00 ` Chris Frederick [this message]
2009-04-24 17:05 ` Hazen Valliant-Saunders
2009-04-24 18:20 ` Marco
2009-04-24 17:23 ` Daniel Troeder
2009-04-24 18:40 ` Marco
2009-04-24 19:38 ` Daniel Troeder
2009-04-24 21:28 ` Chris Frederick
2009-04-27 18:56 ` Daniel Troeder
2009-04-27 20:03 ` Alan McKinnon
2009-04-24 18:18 ` Marco
2009-04-24 18:26 ` Marco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49F1F017.10302@cdf123.net \
--to=cdf123@cdf123.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox