From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxPaN-0007Bg-Np for garchives@archives.gentoo.org; Fri, 24 Apr 2009 17:53:15 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A7DF5E0554; Fri, 24 Apr 2009 17:53:14 +0000 (UTC) Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.145]) by pigeon.gentoo.org (Postfix) with ESMTP id 51419E0554 for ; Fri, 24 Apr 2009 17:53:14 +0000 (UTC) Received: by ey-out-1920.google.com with SMTP id 26so222772eyw.10 for ; Fri, 24 Apr 2009 10:53:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=pBZlRBNDdHw+EDX3DBN5YdLXDZMpPBVBBDB5pdEZg2U=; b=nTfwtAgbrNtmx6rH9mzIl2NY0Jprd70xk7JI6REsxWWy1ekkmDpp8bXJn3Zl/LxULl /pisEKJLzx32a7snR7OsgyhOLtV+FsPe8DFBclK43am8JWnAKO+jWnfXKip3dH4ZZgoF oMkgHgm2CLJsGzc5831ssAg4S44YfEukwgtvU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=MhV9QwPXq+TmRPBytTg4NxrPKSjupfFYcJEmuz+Dmm37TQ+A2pXnVdBznqNqLv/meg UICRb2rL0Yk7wjYyAuy63bkY2xPXmRzaz3dWaGhDtxy9/nTJlpSlMd1vjNFMpmHCaCdN cQPAGLbdGuP+9Bf9hifhyaE5GX7LAA2C2oM0E= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.210.128.5 with SMTP id a5mr2647568ebd.76.1240595593743; Fri, 24 Apr 2009 10:53:13 -0700 (PDT) In-Reply-To: <49F1EFF8.7060801@gmail.com> References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> <49F1EFF8.7060801@gmail.com> Date: Fri, 24 Apr 2009 17:53:13 +0000 Message-ID: <93d30e950904241053x55b9f169x887296edc4a74830@mail.gmail.com> Subject: Re: [gentoo-user] Is this firewall safe? From: Marco To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 07f7441a-1c53-45d8-91c3-f1861970ce7f X-Archives-Hash: 9825ea833ba4f87930351f46688800bf On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin wrote: > Marco wrote: >> Hi all, >> >> I set up my first firewall on my notebook (not running any services >> reachable from outside) using iptables. Since I am new to the topic, >> could you please verify if the output of 'iptables -L -v' is >> considered to be a safe firewall? Thanks! >> >> Chain INPUT (policy DROP 0 packets, 0 bytes) >> =A0pkts bytes target =A0 =A0 prot opt in =A0 =A0 out =A0 =A0 source >> destination >> =A0 =A0 0 =A0 =A0 0 ACCEPT =A0 =A0 all =A0-- =A0lo =A0 =A0 any =A0 =A0 a= nywhere >> anywhere >> =A0 =A0 0 =A0 =A0 0 ACCEPT =A0 =A0 all =A0-- =A0eth0 =A0 any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0state RELATED,ESTABLISHED >> =A0 =A0 0 =A0 =A0 0 REJECT =A0 =A0 tcp =A0-- =A0eth0 =A0 any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0reject-with tcp-reset >> =A0 =A0 0 =A0 =A0 0 REJECT =A0 =A0 udp =A0-- =A0eth0 =A0 any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0reject-with icmp-port-unreachable >> =A0 =A0 0 =A0 =A0 0 DROP =A0 =A0 =A0 udp =A0-- =A0eth0 =A0 any =A0 =A0 a= nywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0udp spt:bootps >> =A0 =A0 0 =A0 =A0 0 LOG =A0 =A0 =A0 =A0all =A0-- =A0eth0 =A0 any =A0 =A0= anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `INPUT =A0 ' >> =A0 =A0 1 =A0 =A079 ACCEPT =A0 =A0 all =A0-- =A0wlan0 =A0any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0state RELATED,ESTABLISHED >> =A0 =A0 0 =A0 =A0 0 REJECT =A0 =A0 tcp =A0-- =A0wlan0 =A0any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0reject-with tcp-reset >> =A0 =A0 0 =A0 =A0 0 REJECT =A0 =A0 udp =A0-- =A0wlan0 =A0any =A0 =A0 any= where >> anywhere =A0 =A0 =A0 =A0 =A0 =A0reject-with icmp-port-unreachable >> =A0 =A0 0 =A0 =A0 0 DROP =A0 =A0 =A0 udp =A0-- =A0wlan0 =A0any =A0 =A0 a= nywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0udp spt:bootps >> =A0 =A0 0 =A0 =A0 0 LOG =A0 =A0 =A0 =A0all =A0-- =A0wlan0 =A0any =A0 =A0= anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `INPUT =A0 ' >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> =A0pkts bytes target =A0 =A0 prot opt in =A0 =A0 out =A0 =A0 source >> destination >> =A0 =A0 0 =A0 =A0 0 LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 =A0any =A0 = =A0 anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `FORWARD ' >> =A0 =A0 0 =A0 =A0 0 LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 =A0any =A0 = =A0 anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `FORWARD ' >> >> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) >> =A0pkts bytes target =A0 =A0 prot opt in =A0 =A0 out =A0 =A0 source >> destination >> =A0 =A0 0 =A0 =A0 0 ACCEPT =A0 =A0 all =A0-- =A0any =A0 =A0lo =A0 =A0 = =A0anywhere >> anywhere >> =A0 =A0 0 =A0 =A0 0 LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 =A0eth0 =A0 = =A0anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `OUTPUT =A0' >> =A0 =A0 1 =A0 =A052 LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 =A0wlan0 =A0= anywhere >> anywhere =A0 =A0 =A0 =A0 =A0 =A0LOG level warning prefix `OUTPUT =A0' >> >> > It all depends on what you're trying to do. =A0My internet facing boxes > have a default OUTPUT policy of DROP and I only allow certain traffic > off of the box (helps protect me from unauthorized services). =A0Also, > you're dropping bootps (same ports as dhcp) on udp so I don't think you > can get a dhcp address like that. =A0If you're running any services you > won't be able to talk to them (ssh). =A0Turn off forwarding in the kernel > config (via /etc/sysctl.conf) as well. I am dropping bootps to not have my log file flooding due to the DHCP server in my wireless router (as suggested in www.novell.com/coolsolutions/feature/18139.html). As it seems I still get a dynamic ip from it. So far, I am not running any services that have to be exposed to the outsid= e. > It also took me a few runs to figure out the firewall config (due to the > rules and formatting). =A0The last two output rules can be combined into > one. =A0Have 1 log line at the bottom of your tables and that will take > care of that. =A0Clean and short configs will help immensely when things > don't work. Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks= ... Talking about the 1 log line at the bottom you mean I should configure it to not specify an interface (eth0, wlan0)? Thanks!