Re: [gentoo-user] Is this firewall safe?

[Marco <listworks@gmail.com>]

On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@gmail.com> wrote:
> Marco wrote:
>> Hi all,
>>
>> I set up my first firewall on my notebook (not running any services
>> reachable from outside) using iptables. Since I am new to the topic,
>> could you please verify if the output of 'iptables -L -v' is
>> considered to be a safe firewall? Thanks!
>>
>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 ACCEPT     all  --  lo     any     anywhere
>> anywhere
>>     0     0 ACCEPT     all  --  eth0   any     anywhere
>> anywhere            state RELATED,ESTABLISHED
>>     0     0 REJECT     tcp  --  eth0   any     anywhere
>> anywhere            reject-with tcp-reset
>>     0     0 REJECT     udp  --  eth0   any     anywhere
>> anywhere            reject-with icmp-port-unreachable
>>     0     0 DROP       udp  --  eth0   any     anywhere
>> anywhere            udp spt:bootps
>>     0     0 LOG        all  --  eth0   any     anywhere
>> anywhere            LOG level warning prefix `INPUT   '
>>     1    79 ACCEPT     all  --  wlan0  any     anywhere
>> anywhere            state RELATED,ESTABLISHED
>>     0     0 REJECT     tcp  --  wlan0  any     anywhere
>> anywhere            reject-with tcp-reset
>>     0     0 REJECT     udp  --  wlan0  any     anywhere
>> anywhere            reject-with icmp-port-unreachable
>>     0     0 DROP       udp  --  wlan0  any     anywhere
>> anywhere            udp spt:bootps
>>     0     0 LOG        all  --  wlan0  any     anywhere
>> anywhere            LOG level warning prefix `INPUT   '
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 LOG        all  --  any    any     anywhere
>> anywhere            LOG level warning prefix `FORWARD '
>>     0     0 LOG        all  --  any    any     anywhere
>> anywhere            LOG level warning prefix `FORWARD '
>>
>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 ACCEPT     all  --  any    lo      anywhere
>> anywhere
>>     0     0 LOG        all  --  any    eth0    anywhere
>> anywhere            LOG level warning prefix `OUTPUT  '
>>     1    52 LOG        all  --  any    wlan0   anywhere
>> anywhere            LOG level warning prefix `OUTPUT  '
>>
>>
> It all depends on what you're trying to do.  My internet facing boxes
> have a default OUTPUT policy of DROP and I only allow certain traffic
> off of the box (helps protect me from unauthorized services).  Also,
> you're dropping bootps (same ports as dhcp) on udp so I don't think you
> can get a dhcp address like that.  If you're running any services you
> won't be able to talk to them (ssh).  Turn off forwarding in the kernel
> config (via /etc/sysctl.conf) as well.

I am dropping bootps to not have my log file flooding due to the DHCP
server in my wireless router (as suggested in
www.novell.com/coolsolutions/feature/18139.html). As it seems I still
get a dynamic ip from it.

So far, I am not running any services that have to be exposed to the outside.

> It also took me a few runs to figure out the firewall config (due to the
> rules and formatting).  The last two output rules can be combined into
> one.  Have 1 log line at the bottom of your tables and that will take
> care of that.  Clean and short configs will help immensely when things
> don't work.

Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks...

Talking about the 1 log line at the bottom you mean I should configure
it to not specify an interface (eth0, wlan0)?

Thanks!