From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LxPyk-0001wF-PN for garchives@archives.gentoo.org; Fri, 24 Apr 2009 18:18:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 14B97E0346; Fri, 24 Apr 2009 18:18:25 +0000 (UTC) Received: from mail-ew0-f165.google.com (mail-ew0-f165.google.com [209.85.219.165]) by pigeon.gentoo.org (Postfix) with ESMTP id A4B44E0346 for ; Fri, 24 Apr 2009 18:18:24 +0000 (UTC) Received: by ewy9 with SMTP id 9so1037550ewy.34 for ; Fri, 24 Apr 2009 11:18:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=UubbmRTbyqQORDobnNPIDF2Hh3ub5l4vvqlr23LESE8=; b=UHCKetZUunukxlw0xpqaMU1ukHwA0xxja48rfJB/EdBarYENfq144S5J/mUSN8eiQG mIPQktFxThCGrjmsvbaG07aCzQnbdL4QhoCg28qo2nULf5kn7xC1RrJMveTQ7LvtvJXW y4O/3KZARA3ycWm8W6WiOvscYfluTptKpkhQ8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=q/PUSaOmz8UpILAS5JIhJDpjhSmznmC6d4T1ZI5/ERcXe3Hb4cuoaFS5CcOq2aee0h KSTD1Z6ZCDXdxOpjXsQABpa0AFmuSd0acsyO34OD2l13x1N4xHOZgX2yaOfcbEq8gG/Q l7UbWcMDWQWhLqzFP3OoDojc8W7CqNfkRi8lQ= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.210.10.11 with SMTP id 11mr2680048ebj.65.1240597103994; Fri, 24 Apr 2009 11:18:23 -0700 (PDT) In-Reply-To: <49F1F017.10302@cdf123.net> References: <93d30e950904240828t6e20bd22v2946d302c2cc5843@mail.gmail.com> <49F1F017.10302@cdf123.net> Date: Fri, 24 Apr 2009 18:18:23 +0000 Message-ID: <93d30e950904241118y2af141b2ndba34f9716e3820e@mail.gmail.com> Subject: Re: [gentoo-user] Is this firewall safe? From: Marco To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: c3ed05ac-807d-43bf-9abf-bdce78f005ad X-Archives-Hash: 7b9fe5b4cf825bfccd547f5741092b28 On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick wrote: > Marco wrote: [...] > Your firewall looks good, but I would change a few things. > > First off, change your FORWARD chain to DROP. =A0Unless you are doing > routing on your laptop, there's no reason to have it. My thought here was to be able to perform some network maintanance task using wireshark. I ave forwarding disabled normally and I could just 'echo 1 > /proc/sys/net/ipv4/ip_forward' to have it enabled. Is there anything unsafe about this setup? > I would also get rid of the REJECT targets. =A0It's better to DROP > instead. =A0If someone is scanning the network, and you start sending icm= p > rejections back, they will know you are there and may try other > techniques to break through your defenses, but if you DROP and send > nothing back, it will be much harder for them to see you at all. I was following http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml in section 'Handling rejection' of the article. I guess this is kind of a philosophical question here... > I would also re-write your INPUT chain to be a bit less verbose. > Something like this: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > target =A0 =A0 prot opt in =A0 =A0out =A0 =A0 source =A0 destination > ACCEPT =A0 =A0 all =A0-- =A0lo =A0 =A0any =A0 =A0 anywhere anywhere > ACCEPT =A0 =A0 all =A0-- =A0any =A0 any =A0 =A0 anywhere anywhere =A0 sta= te > RELATED,ESTABLISHED > LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 any =A0 =A0 anywhere anywhere =A0= LOG level warning > prefix `INPUT =A0 ' So basically not distinguishing between the external interfaces (eth0, wlan= 0)? > Everything else looks good from a security standpoint. =A0From a > performance standpoint, you might want to add a line to the beginning of > your output chain like this: > > Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) > target =A0 =A0 prot opt in =A0 =A0 out =A0 =A0 source =A0 destination > ACCEPT =A0 =A0 all =A0-- =A0any =A0 =A0lo =A0 =A0 =A0anywhere anywhere > ACCEPT =A0 =A0 all =A0-- =A0any =A0 =A0any =A0 =A0 anywhere anywhere =A0s= tate > RELATED,ESTABLISHED > LOG =A0 =A0 =A0 =A0all =A0-- =A0any =A0 =A0any =A0 =A0 anywhere anywhere = =A0LOG level warning > prefix `OUTPUT =A0' > > This will log only NEW packets. =A0Otherwise you could end up with a lot > of log output. That makes sense! > After you run this for a while, go back and look through your logs and > see if you have enough data there to change your OUTPUT chain to DROP, > and only allow packets through to ports you actually use. =A0That's only > if you're really paranoid though. Kind of paranoid, yes ;-) [...] Thanks for the tips! -- Regards, Marco