[gentoo-user] Is this firewall safe?

[gentoo-user] Is this firewall safe?

[Marco]

Hi all,

I set up my first firewall on my notebook (not running any services
reachable from outside) using iptables. Since I am new to the topic,
could you please verify if the output of 'iptables -L -v' is
considered to be a safe firewall? Thanks!

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  lo     any     anywhere
anywhere
    0     0 ACCEPT     all  --  eth0   any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  eth0   any     anywhere
anywhere            reject-with tcp-reset
    0     0 REJECT     udp  --  eth0   any     anywhere
anywhere            reject-with icmp-port-unreachable
    0     0 DROP       udp  --  eth0   any     anywhere
anywhere            udp spt:bootps
    0     0 LOG        all  --  eth0   any     anywhere
anywhere            LOG level warning prefix `INPUT   '
    1    79 ACCEPT     all  --  wlan0  any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  wlan0  any     anywhere
anywhere            reject-with tcp-reset
    0     0 REJECT     udp  --  wlan0  any     anywhere
anywhere            reject-with icmp-port-unreachable
    0     0 DROP       udp  --  wlan0  any     anywhere
anywhere            udp spt:bootps
    0     0 LOG        all  --  wlan0  any     anywhere
anywhere            LOG level warning prefix `INPUT   '

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 LOG        all  --  any    any     anywhere
anywhere            LOG level warning prefix `FORWARD '
    0     0 LOG        all  --  any    any     anywhere
anywhere            LOG level warning prefix `FORWARD '

Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  any    lo      anywhere
anywhere
    0     0 LOG        all  --  any    eth0    anywhere
anywhere            LOG level warning prefix `OUTPUT  '
    1    52 LOG        all  --  any    wlan0   anywhere
anywhere            LOG level warning prefix `OUTPUT  '

Re: [gentoo-user] Is this firewall safe?

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 3143 bytes --]

Marco wrote:
> Hi all,
>
> I set up my first firewall on my notebook (not running any services
> reachable from outside) using iptables. Since I am new to the topic,
> could you please verify if the output of 'iptables -L -v' is
> considered to be a safe firewall? Thanks!
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  lo     any     anywhere
> anywhere
>     0     0 ACCEPT     all  --  eth0   any     anywhere
> anywhere            state RELATED,ESTABLISHED
>     0     0 REJECT     tcp  --  eth0   any     anywhere
> anywhere            reject-with tcp-reset
>     0     0 REJECT     udp  --  eth0   any     anywhere
> anywhere            reject-with icmp-port-unreachable
>     0     0 DROP       udp  --  eth0   any     anywhere
> anywhere            udp spt:bootps
>     0     0 LOG        all  --  eth0   any     anywhere
> anywhere            LOG level warning prefix `INPUT   '
>     1    79 ACCEPT     all  --  wlan0  any     anywhere
> anywhere            state RELATED,ESTABLISHED
>     0     0 REJECT     tcp  --  wlan0  any     anywhere
> anywhere            reject-with tcp-reset
>     0     0 REJECT     udp  --  wlan0  any     anywhere
> anywhere            reject-with icmp-port-unreachable
>     0     0 DROP       udp  --  wlan0  any     anywhere
> anywhere            udp spt:bootps
>     0     0 LOG        all  --  wlan0  any     anywhere
> anywhere            LOG level warning prefix `INPUT   '
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `FORWARD '
>     0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level warning prefix `FORWARD '
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  any    lo      anywhere
> anywhere
>     0     0 LOG        all  --  any    eth0    anywhere
> anywhere            LOG level warning prefix `OUTPUT  '
>     1    52 LOG        all  --  any    wlan0   anywhere
> anywhere            LOG level warning prefix `OUTPUT  '
>
>   
It all depends on what you're trying to do.  My internet facing boxes
have a default OUTPUT policy of DROP and I only allow certain traffic
off of the box (helps protect me from unauthorized services).  Also,
you're dropping bootps (same ports as dhcp) on udp so I don't think you
can get a dhcp address like that.  If you're running any services you
won't be able to talk to them (ssh).  Turn off forwarding in the kernel
config (via /etc/sysctl.conf) as well.

It also took me a few runs to figure out the firewall config (due to the
rules and formatting).  The last two output rules can be combined into
one.  Have 1 log line at the bottom of your tables and that will take
care of that.  Clean and short configs will help immensely when things
don't work.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 899 bytes --]

Re: [gentoo-user] Is this firewall safe?

[Marco]

On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@gmail.com> wrote:
> Marco wrote:
>> Hi all,
>>
>> I set up my first firewall on my notebook (not running any services
>> reachable from outside) using iptables. Since I am new to the topic,
>> could you please verify if the output of 'iptables -L -v' is
>> considered to be a safe firewall? Thanks!
>>
>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 ACCEPT     all  --  lo     any     anywhere
>> anywhere
>>     0     0 ACCEPT     all  --  eth0   any     anywhere
>> anywhere            state RELATED,ESTABLISHED
>>     0     0 REJECT     tcp  --  eth0   any     anywhere
>> anywhere            reject-with tcp-reset
>>     0     0 REJECT     udp  --  eth0   any     anywhere
>> anywhere            reject-with icmp-port-unreachable
>>     0     0 DROP       udp  --  eth0   any     anywhere
>> anywhere            udp spt:bootps
>>     0     0 LOG        all  --  eth0   any     anywhere
>> anywhere            LOG level warning prefix `INPUT   '
>>     1    79 ACCEPT     all  --  wlan0  any     anywhere
>> anywhere            state RELATED,ESTABLISHED
>>     0     0 REJECT     tcp  --  wlan0  any     anywhere
>> anywhere            reject-with tcp-reset
>>     0     0 REJECT     udp  --  wlan0  any     anywhere
>> anywhere            reject-with icmp-port-unreachable
>>     0     0 DROP       udp  --  wlan0  any     anywhere
>> anywhere            udp spt:bootps
>>     0     0 LOG        all  --  wlan0  any     anywhere
>> anywhere            LOG level warning prefix `INPUT   '
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 LOG        all  --  any    any     anywhere
>> anywhere            LOG level warning prefix `FORWARD '
>>     0     0 LOG        all  --  any    any     anywhere
>> anywhere            LOG level warning prefix `FORWARD '
>>
>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>     0     0 ACCEPT     all  --  any    lo      anywhere
>> anywhere
>>     0     0 LOG        all  --  any    eth0    anywhere
>> anywhere            LOG level warning prefix `OUTPUT  '
>>     1    52 LOG        all  --  any    wlan0   anywhere
>> anywhere            LOG level warning prefix `OUTPUT  '
>>
>>
> It all depends on what you're trying to do.  My internet facing boxes
> have a default OUTPUT policy of DROP and I only allow certain traffic
> off of the box (helps protect me from unauthorized services).  Also,
> you're dropping bootps (same ports as dhcp) on udp so I don't think you
> can get a dhcp address like that.  If you're running any services you
> won't be able to talk to them (ssh).  Turn off forwarding in the kernel
> config (via /etc/sysctl.conf) as well.

I am dropping bootps to not have my log file flooding due to the DHCP
server in my wireless router (as suggested in
www.novell.com/coolsolutions/feature/18139.html). As it seems I still
get a dynamic ip from it.

So far, I am not running any services that have to be exposed to the outside.

> It also took me a few runs to figure out the firewall config (due to the
> rules and formatting).  The last two output rules can be combined into
> one.  Have 1 log line at the bottom of your tables and that will take
> care of that.  Clean and short configs will help immensely when things
> don't work.

Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks...

Talking about the 1 log line at the bottom you mean I should configure
it to not specify an interface (eth0, wlan0)?

Thanks!

Re: [gentoo-user] Is this firewall safe?

[Eric Martin]

Marco wrote:
> On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@gmail.com> wrote:
>   
>> Marco wrote:
>>     
>>> Hi all,
>>>
>>> I set up my first firewall on my notebook (not running any services
>>> reachable from outside) using iptables. Since I am new to the topic,
>>> could you please verify if the output of 'iptables -L -v' is
>>> considered to be a safe firewall? Thanks!
>>>
>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 ACCEPT     all  --  lo     any     anywhere
>>> anywhere
>>>     0     0 ACCEPT     all  --  eth0   any     anywhere
>>> anywhere            state RELATED,ESTABLISHED
>>>     0     0 REJECT     tcp  --  eth0   any     anywhere
>>> anywhere            reject-with tcp-reset
>>>     0     0 REJECT     udp  --  eth0   any     anywhere
>>> anywhere            reject-with icmp-port-unreachable
>>>     0     0 DROP       udp  --  eth0   any     anywhere
>>> anywhere            udp spt:bootps
>>>     0     0 LOG        all  --  eth0   any     anywhere
>>> anywhere            LOG level warning prefix `INPUT   '
>>>     1    79 ACCEPT     all  --  wlan0  any     anywhere
>>> anywhere            state RELATED,ESTABLISHED
>>>     0     0 REJECT     tcp  --  wlan0  any     anywhere
>>> anywhere            reject-with tcp-reset
>>>     0     0 REJECT     udp  --  wlan0  any     anywhere
>>> anywhere            reject-with icmp-port-unreachable
>>>     0     0 DROP       udp  --  wlan0  any     anywhere
>>> anywhere            udp spt:bootps
>>>     0     0 LOG        all  --  wlan0  any     anywhere
>>> anywhere            LOG level warning prefix `INPUT   '
>>>
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 LOG        all  --  any    any     anywhere
>>> anywhere            LOG level warning prefix `FORWARD '
>>>     0     0 LOG        all  --  any    any     anywhere
>>> anywhere            LOG level warning prefix `FORWARD '
>>>
>>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 ACCEPT     all  --  any    lo      anywhere
>>> anywhere
>>>     0     0 LOG        all  --  any    eth0    anywhere
>>> anywhere            LOG level warning prefix `OUTPUT  '
>>>     1    52 LOG        all  --  any    wlan0   anywhere
>>> anywhere            LOG level warning prefix `OUTPUT  '
>>>
>>>       
>   
<snip>
> Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks...
>
> Talking about the 1 log line at the bottom you mean I should configure
> it to not specify an interface (eth0, wlan0)?
>
> Thanks!
>
>   
Yeah, not specifying an interface for the log rule to apply to will make
it catch all interfaces (including lo but all traffic has already been
approved ahead of time so it won't catch).

Re: [gentoo-user] Is this firewall safe?

[Chris Frederick]

Marco wrote:
> Hi all,
> 
> I set up my first firewall on my notebook (not running any services
> reachable from outside) using iptables. Since I am new to the topic,
> could you please verify if the output of 'iptables -L -v' is
> considered to be a safe firewall? Thanks!
> 

Hi Marco,

Your firewall looks good, but I would change a few things.

First off, change your FORWARD chain to DROP.  Unless you are doing
routing on your laptop, there's no reason to have it.

I would also get rid of the REJECT targets.  It's better to DROP
instead.  If someone is scanning the network, and you start sending icmp
rejections back, they will know you are there and may try other
techniques to break through your defenses, but if you DROP and send
nothing back, it will be much harder for them to see you at all.

I would also re-write your INPUT chain to be a bit less verbose.
Something like this:

Chain INPUT (policy DROP 0 packets, 0 bytes)
target     prot opt in    out     source   destination
ACCEPT     all  --  lo    any     anywhere anywhere
ACCEPT     all  --  any   any     anywhere anywhere   state
RELATED,ESTABLISHED
LOG        all  --  any   any     anywhere anywhere   LOG level warning
prefix `INPUT   '

Everything else looks good from a security standpoint.  From a
performance standpoint, you might want to add a line to the beginning of
your output chain like this:

Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
target     prot opt in     out     source   destination
ACCEPT     all  --  any    lo      anywhere anywhere
ACCEPT     all  --  any    any     anywhere anywhere  state
RELATED,ESTABLISHED
LOG        all  --  any    any     anywhere anywhere  LOG level warning
prefix `OUTPUT  '

This will log only NEW packets.  Otherwise you could end up with a lot
of log output.

After you run this for a while, go back and look through your logs and
see if you have enough data there to change your OUTPUT chain to DROP,
and only allow packets through to ports you actually use.  That's only
if you're really paranoid though.

Hope that helps.

Chris

Re: [gentoo-user] Is this firewall safe?

[Hazen Valliant-Saunders]

[-- Attachment #1: Type: text/plain, Size: 2434 bytes --]

Just a thought:

http://www.fwbuilder.org/

I like how it looks "a lot" like checkpoint's policy manager.

HTH,
Hazen.
On Fri, Apr 24, 2009 at 1:00 PM, Chris Frederick <cdf123@cdf123.net> wrote:

> Marco wrote:
> > Hi all,
> >
> > I set up my first firewall on my notebook (not running any services
> > reachable from outside) using iptables. Since I am new to the topic,
> > could you please verify if the output of 'iptables -L -v' is
> > considered to be a safe firewall? Thanks!
> >
>
> Hi Marco,
>
> Your firewall looks good, but I would change a few things.
>
> First off, change your FORWARD chain to DROP.  Unless you are doing
> routing on your laptop, there's no reason to have it.
>
> I would also get rid of the REJECT targets.  It's better to DROP
> instead.  If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.
>
> I would also re-write your INPUT chain to be a bit less verbose.
> Something like this:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> target     prot opt in    out     source   destination
> ACCEPT     all  --  lo    any     anywhere anywhere
> ACCEPT     all  --  any   any     anywhere anywhere   state
> RELATED,ESTABLISHED
> LOG        all  --  any   any     anywhere anywhere   LOG level warning
> prefix `INPUT   '
>
> Everything else looks good from a security standpoint.  From a
> performance standpoint, you might want to add a line to the beginning of
> your output chain like this:
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
> target     prot opt in     out     source   destination
> ACCEPT     all  --  any    lo      anywhere anywhere
> ACCEPT     all  --  any    any     anywhere anywhere  state
> RELATED,ESTABLISHED
> LOG        all  --  any    any     anywhere anywhere  LOG level warning
> prefix `OUTPUT  '
>
> This will log only NEW packets.  Otherwise you could end up with a lot
> of log output.
>
> After you run this for a while, go back and look through your logs and
> see if you have enough data there to change your OUTPUT chain to DROP,
> and only allow packets through to ports you actually use.  That's only
> if you're really paranoid though.
>
> Hope that helps.
>
> Chris
>
>


-- 
Hazen Valliant-Saunders
IT/IS Consultant
(613) 355-5977

[-- Attachment #2: Type: text/html, Size: 3258 bytes --]

Re: [gentoo-user] Is this firewall safe?

[Marco]

On Fri, Apr 24, 2009 at 5:05 PM, Hazen Valliant-Saunders
<hazenvs@gmail.com> wrote:
> Just a thought:
>
> http://www.fwbuilder.org/

I've seen fwbuilder already. I thought since I only need a simple
firewall, I probably make the thing worse if I don't really know how
to use the tool. And learning iptables is a good thing I guess. In
case I'd have to set up some servers, I would of course reconsider
fwbuilder.

--
Regards,
 Marco

Re: [gentoo-user] Is this firewall safe?

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
> I would also get rid of the REJECT targets.  It's better to DROP
> instead.  If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.
While all that is correct, I would also consider it "bad network
behavior" (no offense intended).

It feels like "security through obscurity". It may hamper the
well-working of a TCP/IP network, as that relies heavily on ICMP.

Probably it will never be a problem for you, but it could be a problem
for a network administrator.

Also: if you wish to scan (nmap) yourself to check your system
(configuration), you'll wish for REJECT instead of DROP :)

On a (not so) different topic:
If you're going to make your firewall more complex (more services, or
other stuff), I'd suggest to use a widely used firewall script. That is
more secure than writing your own firewall configuration, because in the
long run it will be better maintainable (and they often also do "smart
stuff(TM)" ;)

My recommendation is "net-firewall/shorewall". It has a well balanced
abstraction/granularity-ratio, and the produced iptable-rules are still
readable :)

Bye,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Is this firewall safe?

[Marco]

On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <daniel@admin-box.com> wrote:
> On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
[...]
> While all that is correct, I would also consider it "bad network
> behavior" (no offense intended).

So you consider my 'reject-with' settings to be good practice?

> It feels like "security through obscurity". It may hamper the
> well-working of a TCP/IP network, as that relies heavily on ICMP.

I was not really sure how to configure ICMP (ping) correctly. Any
input appreciated!

> Probably it will never be a problem for you, but it could be a problem
> for a network administrator.
>
> Also: if you wish to scan (nmap) yourself to check your system
> (configuration), you'll wish for REJECT instead of DROP :)

You mean as the default policy?

> On a (not so) different topic:
> If you're going to make your firewall more complex (more services, or
> other stuff), I'd suggest to use a widely used firewall script. That is
> more secure than writing your own firewall configuration, because in the
> long run it will be better maintainable (and they often also do "smart
> stuff(TM)" ;)
>
> My recommendation is "net-firewall/shorewall". It has a well balanced
> abstraction/granularity-ratio, and the produced iptable-rules are still
> readable :)

This is considered to be my learning example. Later I will definitely
consider using shorewall (learning one thing at a time).

Thanks!

--
Regards,
 Marco

Re: [gentoo-user] Is this firewall safe?

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 1472 bytes --]

On Fri, 2009-04-24 at 18:40 +0000, Marco wrote:
> On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <daniel@admin-box.com> wrote:
> > On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
> [...]
> > While all that is correct, I would also consider it "bad network
> > behavior" (no offense intended).
> 
> So you consider my 'reject-with' settings to be good practice?
Yes :)

> > It feels like "security through obscurity". It may hamper the
> > well-working of a TCP/IP network, as that relies heavily on ICMP.
> 
> I was not really sure how to configure ICMP (ping) correctly. Any
> input appreciated!
That is really difficult, because ICMP is a family of lots of protocols,
from which ping is just one. Others are important too, like telling
routers/hosts about network congestion, and so on... I don't feel
competent enough to give directions. I do always allow ping, as this is
needed in a server environment to check for uptime, but your case may be
different.

> > Also: if you wish to scan (nmap) yourself to check your system
> > (configuration), you'll wish for REJECT instead of DROP :)
> 
> You mean as the default policy?
Yes, and also everywhere you use DROP. It's just, that you'll have to
wait less for timeouts, when connecting to a closed port.

If you decide to go with DROP, then you could make it globally
switchable in your script, to change between testing and production
environment/situation.

Bye,
Daniel


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Is this firewall safe?

[Chris Frederick]

Daniel Troeder wrote:
> On Fri, 2009-04-24 at 18:40 +0000, Marco wrote:
>> On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder <daniel@admin-box.com> wrote:
>>> On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote:
>> [...]
>>> While all that is correct, I would also consider it "bad network
>>> behavior" (no offense intended).
>> So you consider my 'reject-with' settings to be good practice?
> Yes :)

I'll have to agree and disagree with Daniel on this point.  I agree that
it is "bad network behavior", but the people we are trying to keep out
don't stick to using "good network behavior", so why should we?  There's
a number of dirty tricks people use to circumvent firewalls/networks,
and I strongly believe that it is better to hide your presence as best
as you can on a network.

Now I'm also keeping in mind that you are on a laptop with no remote
services.  If you start allowing services, then that will change things.
 If clients are going to be connection to you for certain services, you
should be more accommodating to them and play nice with the network
where possible.

This is more of a personal preference thing.

>>> It feels like "security through obscurity".

I agree that it is "security through obscurity", but that's not a bad
thing.  Relying on "security through obscurity" for protection is a bad
thing, but adding a layer of obscurity over a defense in depth strategy
is not.

>>> It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP.

On a server level, yes.  But this is a client with no active/accessible
services.  A server shouldn't rely on ICMP from a client, but the ICMP
packets from the server will be picked up by the RELATED flag on the
second rule, allowing the client to see the ICMP error from the server.

>> I was not really sure how to configure ICMP (ping) correctly. Any input appreciated!
> That is really difficult, because ICMP is a family of lots of protocols,
> from which ping is just one. Others are important too, like telling
> routers/hosts about network congestion, and so on... I don't feel
> competent enough to give directions. I do always allow ping, as this is
> needed in a server environment to check for uptime, but your case may be
> different.

I agree with Daniel again.  Unless you know what you are doing, blocking
ICMP is just going to cause problems.  And I would argue that iptables
is not the tool to use, even if you know what you are doing.  If you
really want to filter your ICMP packets, look to /proc/sys/net/ipv4/.
The kernel will give you some nice options that are a lot safer that an
iptables rule.

>>> Also: if you wish to scan (nmap) yourself to check your system
>>> (configuration), you'll wish for REJECT instead of DROP :)
>> You mean as the default policy?
> Yes, and also everywhere you use DROP. It's just, that you'll have to
> wait less for timeouts, when connecting to a closed port.

<segway>
I would recommend running nmap in crontab if you want to scan your
network (look up ndiff on nmap's website).
</segway>

> If you decide to go with DROP, then you could make it globally
> switchable in your script, to change between testing and production
> environment/situation.

This is great advice.  You may not benefit much from it now with this
small script, but as it grows, you really want to keep this in mind.  If
you modularize your tables, you can turn them on and off with a single
insert/delete rather than trying to insert/delete large blocks from the
rules, or worse, reloading the whole rule set.

Chris

P.S.  Daniel, no offense taken.  I enjoy these debates, it helps us
think differently and learn new tricks.  If we are not challenged once
in a while we get complacent, and that's typically when we start making
mistakes.

Re: [gentoo-user] Is this firewall safe?

[Daniel Troeder]

[-- Attachment #1: Type: text/plain, Size: 1266 bytes --]

On Fri, 2009-04-24 at 16:28 -0500, Chris Frederick wrote:
> Now I'm also keeping in mind that you are on a laptop with no remote
> services.  If you start allowing services, then that will change things.
>  If clients are going to be connection to you for certain services, you
> should be more accommodating to them and play nice with the network
> where possible.
I think you're right. I often tend to think in my "server/network admin
ways". For a notebook - possibly connecting to unknown, public networks,
it may be a good idea to stay "hidden".

> <segway>
> I would recommend running nmap in crontab if you want to scan your
> network (look up ndiff on nmap's website).
> </segway>
Oh cool - I didn't know about "ndiff". Fetching nmap from SVN now... :)

What does "segway" mean? I just found a "personal transporter" thingy
online...

> P.S.  Daniel, no offense taken.  I enjoy these debates, it helps us
> think differently and learn new tricks.  If we are not challenged once
> in a while we get complacent, and that's typically when we start making
> mistakes.
nice :)

Bye,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Is this firewall safe?

[Alan McKinnon]

On Monday 27 April 2009 20:56:07 Daniel Troeder wrote:
> > <segway>
> > I would recommend running nmap in crontab if you want to scan your
> > network (look up ndiff on nmap's website).
> > </segway>
>
> Oh cool - I didn't know about "ndiff". Fetching nmap from SVN now... :)
>
> What does "segway" mean? I just found a "personal transporter" thingy
> online...

It's a typo, should have been "segue" which according to Wikipedia[1] means

"A segue is a smooth transition from one topic or section to the next."

[1]http://en.wikipedia.org/wiki/Segue

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Is this firewall safe?

[Marco]

On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick <cdf123@cdf123.net> wrote:
> Marco wrote:

[...]

> Your firewall looks good, but I would change a few things.
>
> First off, change your FORWARD chain to DROP.  Unless you are doing
> routing on your laptop, there's no reason to have it.

My thought here was to be able to perform some network maintanance
task using wireshark. I ave forwarding disabled normally and I could
just 'echo 1 > /proc/sys/net/ipv4/ip_forward' to have it enabled. Is
there anything unsafe about this setup?

> I would also get rid of the REJECT targets.  It's better to DROP
> instead.  If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.

I was following
http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
in section 'Handling rejection' of the article. I guess this is kind
of a philosophical question here...

> I would also re-write your INPUT chain to be a bit less verbose.
> Something like this:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> target     prot opt in    out     source   destination
> ACCEPT     all  --  lo    any     anywhere anywhere
> ACCEPT     all  --  any   any     anywhere anywhere   state
> RELATED,ESTABLISHED
> LOG        all  --  any   any     anywhere anywhere   LOG level warning
> prefix `INPUT   '

So basically not distinguishing between the external interfaces (eth0, wlan0)?

> Everything else looks good from a security standpoint.  From a
> performance standpoint, you might want to add a line to the beginning of
> your output chain like this:
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
> target     prot opt in     out     source   destination
> ACCEPT     all  --  any    lo      anywhere anywhere
> ACCEPT     all  --  any    any     anywhere anywhere  state
> RELATED,ESTABLISHED
> LOG        all  --  any    any     anywhere anywhere  LOG level warning
> prefix `OUTPUT  '
>
> This will log only NEW packets.  Otherwise you could end up with a lot
> of log output.

That makes sense!

> After you run this for a while, go back and look through your logs and
> see if you have enough data there to change your OUTPUT chain to DROP,
> and only allow packets through to ports you actually use.  That's only
> if you're really paranoid though.

Kind of paranoid, yes ;-)

[...]

Thanks for the tips!

--
Regards,
 Marco

Re: [gentoo-user] Is this firewall safe?

[Marco]

[-- Attachment #1: Type: text/plain, Size: 227 bytes --]

Hello again,

I took your considerations into account and changes my setting. Could
you please have look again to the output of 'iptables -L -v' (in the
attachment for better formating)?

Thanks a lot!

--
Best regards,
 Marco

[-- Attachment #2: iptables-L-v.txt --]
[-- Type: text/plain, Size: 1317 bytes --]

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
   30 18812 ACCEPT     all  --  !lo    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 REJECT     tcp  --  !lo    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     udp  --  !lo    any     anywhere             anywhere            reject-with icmp-port-unreachable 
    0     0 LOG        all  --  !lo    any     anywhere             anywhere            LOG level warning prefix `INPUT   ' 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning prefix `FORWARD ' 

Chain OUTPUT (policy ACCEPT 33 packets, 6039 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere            
   33  6039 LOG        all  --  any    !lo     anywhere             anywhere            LOG level warning prefix `OUTPUT  '