From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxOm2-0001WC-2s for garchives@archives.gentoo.org; Fri, 24 Apr 2009 17:01:14 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 98FBDE0521; Fri, 24 Apr 2009 17:00:08 +0000 (UTC) Received: from smtp.rtvision.com (smtp.rtvision.com [76.164.12.15]) by pigeon.gentoo.org (Postfix) with ESMTP id 7708DE0521 for ; Fri, 24 Apr 2009 17:00:08 +0000 (UTC) Received: from rtchris.rtdev.net (rtchris.rtdev.net [192.168.1.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.rtvision.com (Postfix) with ESMTPSA id EF3EC577FF for ; Fri, 24 Apr 2009 12:00:07 -0500 (CDT) Message-ID: <49F1F017.10302@cdf123.net> Date: Fri, 24 Apr 2009 12:00:07 -0500 From: Chris Frederick User-Agent: Thunderbird 2.0.0.17 (X11/20081117) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Is this firewall safe? References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> In-Reply-To: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 94190984-797b-43fa-adcf-8431f11ea1f7 X-Archives-Hash: 24e91721096058d7e7ac12ff93ba12c2 Marco wrote: > Hi all, > > I set up my first firewall on my notebook (not running any services > reachable from outside) using iptables. Since I am new to the topic, > could you please verify if the output of 'iptables -L -v' is > considered to be a safe firewall? Thanks! > Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt in out source destination ACCEPT all -- lo any anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- any lo anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris