Re: Linux server as it own firewall

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 09/15/01


Date: Fri, 14 Sep 2001 18:57:41 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: <focus-linux@securityfocus.com>
Subject: Re: Linux server as it own firewall
Message-ID: <Pine.LNX.4.33L2.0109141844460.1194-100000@feztron.ath.cx>

On Fri, 14 Sep 2001, Luciano Miguel Ferreira Rocha (dis)graced my inbox...:

> The firewall needn't protect against bad traffice, the kernel already
> does that.Also, your firewall rules may protect you from a FIN/NUL/XMAS
> portscan, but does not protect you against the more normal SYN and
> connect(2) scans.

The kernel does that? I wasn't aware that the kernel did anything with the
packets (aside from assembling fragments) without iptables rules in place.

> I'm still to find a daemon that doesn't have an option to bind(2) only to
> localhost/127.0.0.1 or that I couldn't change the source in order to make
> it bind to a specific address.
>
> However, I do agree that it's easier to use a firewall to controll the open
> ports, but then you also have a problem in some protocols that related
> connections are hard to keep track of.

True, some services have nonstatic ports, but I don't use them so I don't
have to worry about stuff like that.

> Yes, that is very usefull, but you're forgetting the trojan as in most cases
> ilimited access to the machine, so it may be able to disable the firewall or
> to disguise as a normal apllication connecting to a web server, for example.

True, a trojan could take out the firewall, but how many trojans are that
smart? Most, if not all trojans that I have seen simply open a port to
allow access to an attacker. The trojan might take out the firewall, but
the trojan also might not, and that means the firewall is still useful.

> But the world isn't a perfect one, that's why we have the need for firewalls,
> hids, nids, etc. The point is to have adicional redundant security, either
> to protect our server or to protect others servers in the case it becames
> compromised

Yes, exactly. Firewalls are not the be-all, end-all security measure. They
are simply an added layer of security, a tool of redundancy to slow down
and deter hackers.

-- 
Rob 'Feztaa' Park
fezziker@home.com
ICQ#: 49781692
:wq!