From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
Date: Sun, 13 Oct 2013 18:02:32 -0400 [thread overview]
Message-ID: <525B1878.2010908@orlitzky.com> (raw)
In-Reply-To: <slrnl5lvc2.cda.vaeth@lounge.imp.fu-berlin.de>
On 10/13/2013 04:07 PM, Martin Vaeth wrote:
>>
>> I was just reiterating that there's not much benefit to save/restore if
>> you're doing things properly (pontification alert!).
>
> For a laptop of a scientist like me this is not true at all - it must
> often be connected in a different environment with different
> local nets etc.
Sure, but do the rules change? Is there a better ruleset that
accomplishes the same thing with fewer (or universal) rules? How many
rules do you have at the location requiring the most rules?
Most laptops should be OK with the following:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -m conntrack \
--ctstate INVALID -j DROP
ALLOWED_ICMP="0 3 4 8 11 12"
for icmp_type in $ALLOWED_ICMP; do
iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT
done
And creative setups should only require a few more rules. This all takes
under (1/10) of a second on my laptop.
> Also for other things (like portknocking using the recent module)
> you need rather complex rules which are better rewritten by a script,
> especially if the length of a portknocking sequence changes.
> Like passwords, these sequences should better not stay the same for
> too long...
Port knocking is cute, but imparts no extra security. A better, secure
way to achieve the same goal is with OpenVPN. And that doesn't require
you to play games with your firewall.
If you use your laptop at hotels, universities, and conferences, you'll
have a much happier time connecting to OpenVPN on tcp/443 (which nobody
can block) than you will trying to connect directly.
>> Race conditions don't really seem that serious to me.
>
> Maybe, but I am not sure:
> There might be situations where it might be possible to keep
> a port open even when the rule is rewritten later on; then
> you need an open system only once...
> So, I could imagine that with some clever hacks an attacker
> might keep ports open and then do another attack later on.
> I am not an experienced hacker to know such attacks, but I
> know that races can be very subtle and provide attack vectors
> nobody has ever thought off.
In this case, the absolute worst that could happen is that an attacker
gains access to every open port on your system. While this is bad, it's
not a clever new vulnerability: it's all of the old ones that were
already there.
If there are insecure daemons listening on public addresses, you should
fix them instead of worrying about race conditions on the firewall.
Otherwise, every machine on your LAN becomes an attack vector, and
that's a much greater risk especially if your coworkers/friends use
Windows. And if we're still talking about laptops, the "LAN" is usually
"anybody nearby."
next prev parent reply other threads:[~2013-10-13 22:02 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-03 19:27 [gentoo-user] Where to put advanced routing configuration? Grant Edwards
2013-10-03 20:28 ` Kerin Millar
2013-10-04 16:25 ` [gentoo-user] " Grant Edwards
2013-10-04 21:58 ` [gentoo-user] " Michael Orlitzky
2013-10-04 22:33 ` Dragostin Yanev
2013-10-11 7:18 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:08 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Martin Vaeth
2013-10-13 14:14 ` [gentoo-user] scripted iptables-restore Michael Orlitzky
2013-10-13 15:19 ` [gentoo-user] " Martin Vaeth
2013-10-13 16:37 ` Michael Orlitzky
2013-10-13 20:07 ` Martin Vaeth
2013-10-13 21:45 ` William Kenworthy
2013-10-14 12:08 ` Martin Vaeth
2013-10-14 13:27 ` William Kenworthy
2013-10-13 22:02 ` Michael Orlitzky [this message]
2013-10-14 11:49 ` Martin Vaeth
2013-10-14 14:26 ` Michael Orlitzky
2013-10-14 18:49 ` Martin Vaeth
2013-10-14 19:17 ` Michael Orlitzky
2013-10-14 20:31 ` Alan McKinnon
2013-10-15 1:06 ` Michael Orlitzky
2013-10-14 18:23 ` Tanstaafl
2013-10-14 18:52 ` Martin Vaeth
2013-10-14 19:40 ` Tanstaafl
2013-10-14 20:45 ` Alan McKinnon
2013-10-16 23:21 ` Walter Dnes
2013-10-17 6:59 ` Alan McKinnon
2013-10-18 2:30 ` Walter Dnes
2013-10-18 4:44 ` Alan McKinnon
2013-10-18 10:23 ` Tanstaafl
2013-10-18 11:19 ` Alan McKinnon
2013-10-18 14:05 ` Tanstaafl
2013-10-18 14:33 ` Alan McKinnon
2013-10-14 5:54 ` [gentoo-user] " Pandu Poluan
2013-10-14 5:57 ` [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?) Pandu Poluan
2013-10-14 11:52 ` [gentoo-user] " Martin Vaeth
2013-10-13 10:26 ` [gentoo-user] Where to put advanced routing configuration? shawn wilson
2013-10-13 13:53 ` Michael Orlitzky
2013-10-13 13:57 ` [gentoo-user] " Martin Vaeth
2013-10-05 21:01 ` [gentoo-user] " thegeezer
2013-10-06 16:16 ` [gentoo-user] " Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525B1878.2010908@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox