From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4C8581381F3 for ; Sun, 13 Oct 2013 22:02:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE321E0A5F; Sun, 13 Oct 2013 22:02:42 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AFE1FE0A4F for ; Sun, 13 Oct 2013 22:02:41 +0000 (UTC) Received: from [172.17.29.6] (vpn1.metro-data.com [65.213.236.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id 3cycMh41TLz1hgC for ; Sun, 13 Oct 2013 18:02:40 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1381701760; bh=A4vsHSwf9/K7vTTYrcM3KPOPeRES5ynMukWxhHJX5PQ=; h=Date:From:To:Subject:References:In-Reply-To; b=TPBwQyAQlBTJIFSrMbiGgCSuuxsY4NoGG1addsD25D2cCh3h86a9IKjTvvmVfk8iQ EwUj2wIopLF9/dbUJp2QAxI1mSaBdVN9lJrGPplf11HV3uk6EfHtFRtzZnDJ906eY2 Mz11BCpHq6OunekDdrnKk3rAqW8iAracJNPdMQFw= Message-ID: <525B1878.2010908@orlitzky.com> Date: Sun, 13 Oct 2013 18:02:32 -0400 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130929 Thunderbird/17.0.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: scripted iptables-restore References: <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <525AAADE.7040700@orlitzky.com> <525ACC38.8060008@orlitzky.com> In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 42e9832b-9b76-4f1e-a3e7-dc6ba1dda719 X-Archives-Hash: 49f5032f83412c98b1c7024f395ee078 On 10/13/2013 04:07 PM, Martin Vaeth wrote: >> >> I was just reiterating that there's not much benefit to save/restore if >> you're doing things properly (pontification alert!). > > For a laptop of a scientist like me this is not true at all - it must > often be connected in a different environment with different > local nets etc. Sure, but do the rules change? Is there a better ruleset that accomplishes the same thing with fewer (or universal) rules? How many rules do you have at the location requiring the most rules? Most laptops should be OK with the following: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate INVALID -j DROP ALLOWED_ICMP="0 3 4 8 11 12" for icmp_type in $ALLOWED_ICMP; do iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT done And creative setups should only require a few more rules. This all takes under (1/10) of a second on my laptop. > Also for other things (like portknocking using the recent module) > you need rather complex rules which are better rewritten by a script, > especially if the length of a portknocking sequence changes. > Like passwords, these sequences should better not stay the same for > too long... Port knocking is cute, but imparts no extra security. A better, secure way to achieve the same goal is with OpenVPN. And that doesn't require you to play games with your firewall. If you use your laptop at hotels, universities, and conferences, you'll have a much happier time connecting to OpenVPN on tcp/443 (which nobody can block) than you will trying to connect directly. >> Race conditions don't really seem that serious to me. > > Maybe, but I am not sure: > There might be situations where it might be possible to keep > a port open even when the rule is rewritten later on; then > you need an open system only once... > So, I could imagine that with some clever hacks an attacker > might keep ports open and then do another attack later on. > I am not an experienced hacker to know such attacks, but I > know that races can be very subtle and provide attack vectors > nobody has ever thought off. In this case, the absolute worst that could happen is that an attacker gains access to every open port on your system. While this is bad, it's not a clever new vulnerability: it's all of the old ones that were already there. If there are insecure daemons listening on public addresses, you should fix them instead of worrying about race conditions on the firewall. Otherwise, every machine on your LAN becomes an attack vector, and that's a much greater risk especially if your coworkers/friends use Windows. And if we're still talking about laptops, the "LAN" is usually "anybody nearby."