From: Marco <listworks@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Is this firewall safe?
Date: Fri, 24 Apr 2009 18:18:23 +0000 [thread overview]
Message-ID: <93d30e950904241118y2af141b2ndba34f9716e3820e@mail.gmail.com> (raw)
In-Reply-To: <49F1F017.10302@cdf123.net>
On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick <cdf123@cdf123.net> wrote:
> Marco wrote:
[...]
> Your firewall looks good, but I would change a few things.
>
> First off, change your FORWARD chain to DROP. Unless you are doing
> routing on your laptop, there's no reason to have it.
My thought here was to be able to perform some network maintanance
task using wireshark. I ave forwarding disabled normally and I could
just 'echo 1 > /proc/sys/net/ipv4/ip_forward' to have it enabled. Is
there anything unsafe about this setup?
> I would also get rid of the REJECT targets. It's better to DROP
> instead. If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.
I was following
http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
in section 'Handling rejection' of the article. I guess this is kind
of a philosophical question here...
> I would also re-write your INPUT chain to be a bit less verbose.
> Something like this:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> target prot opt in out source destination
> ACCEPT all -- lo any anywhere anywhere
> ACCEPT all -- any any anywhere anywhere state
> RELATED,ESTABLISHED
> LOG all -- any any anywhere anywhere LOG level warning
> prefix `INPUT '
So basically not distinguishing between the external interfaces (eth0, wlan0)?
> Everything else looks good from a security standpoint. From a
> performance standpoint, you might want to add a line to the beginning of
> your output chain like this:
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
> target prot opt in out source destination
> ACCEPT all -- any lo anywhere anywhere
> ACCEPT all -- any any anywhere anywhere state
> RELATED,ESTABLISHED
> LOG all -- any any anywhere anywhere LOG level warning
> prefix `OUTPUT '
>
> This will log only NEW packets. Otherwise you could end up with a lot
> of log output.
That makes sense!
> After you run this for a while, go back and look through your logs and
> see if you have enough data there to change your OUTPUT chain to DROP,
> and only allow packets through to ports you actually use. That's only
> if you're really paranoid though.
Kind of paranoid, yes ;-)
[...]
Thanks for the tips!
--
Regards,
Marco
next prev parent reply other threads:[~2009-04-24 18:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-24 15:28 [gentoo-user] Is this firewall safe? Marco
2009-04-24 16:59 ` Eric Martin
2009-04-24 17:53 ` Marco
2009-04-27 19:35 ` Eric Martin
2009-04-24 17:00 ` Chris Frederick
2009-04-24 17:05 ` Hazen Valliant-Saunders
2009-04-24 18:20 ` Marco
2009-04-24 17:23 ` Daniel Troeder
2009-04-24 18:40 ` Marco
2009-04-24 19:38 ` Daniel Troeder
2009-04-24 21:28 ` Chris Frederick
2009-04-27 18:56 ` Daniel Troeder
2009-04-27 20:03 ` Alan McKinnon
2009-04-24 18:18 ` Marco [this message]
2009-04-24 18:26 ` Marco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93d30e950904241118y2af141b2ndba34f9716e3820e@mail.gmail.com \
--to=listworks@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox