Re: Clever firewall rules

From: Hal Flynn (flynn@securityfocus.com)
Date: 09/17/01 

Date: Sun, 16 Sep 2001 19:36:10 -0600 (MDT)
From: Hal Flynn <flynn@securityfocus.com>
To: <focus-linux@securityfocus.com>
Subject: Re: Clever firewall rules
Message-ID: <Pine.GSO.4.30.0109161925000.27441-100000@mail>

> Indeed he did, and in fact that is where I gleaned a lot of
> my rules from. I think the problem with Hal's efforts were
> that he posted a huge list of everybody's rules, not many
> people read through it all. I did, though, and I took all the
> rules that I liked.

It was indeed a large list. I've considered putting them up in the Linux
Focus Area for everybody to browse and download. Anybody have any
thoughts on that? If you'd like to see it, let me know directly (versus
posting to the list).

I'd like to apologize for not asking about this sooner. I'd planned on
doing it when I got home last week. However, since the WTC incident, I've
been a tad stranded outside of the country. My 2nd flight attempt home
this afternoon was cancelled. While this isn't an excuse, I'm sure you
can gather where my priorites have been. Please bear with me.

> I think it would be better if we compiled a list of good rules,
> not a compilation of everybody's rulesets :)

I wanted to make a comment on this. I don't know who made the quote...it
came up last week though. "There are no silver bullets." A good ruleset
is a ruleset that's designed to fit your site's security and business
needs, while not restricting usability to the point of being detrimental
to progress.

Sure, there's a few standard things you can do with a firewall ruleset
that are common across all machines/firewalls/platforms. However, the
truth of the matter is it's impossible to generalize on a firewall
ruleset, as the resources and requirements of each organization have a
variance factor similar to that of people and personalities.

So, if you guys are interested in seeing these rulesets in the focus area,
let me know directly. I'll break off each one into it's own seperate
file, as well as put a compilation of them up.

Hal Flynn
Sun/Linux Focus Area Manager
SecurityFocus

"Arbeit macht das Leben süss."

Relevant Pages

  • [HOWTO] IPFW: Vector-Based Modularity
    ... Complex Firewall ... For this purpose the local host should be considered an interface of its own in the form of the IPFW alias, ... The IPFW ruleset begins with a series of skipto rules directing matching traffic to a rule module. ... 00400 set 0 deny ip from any to any ...
    (freebsd-questions)
  • Re: pf and ftp proxy for lan ftp clients
    ... My suggestion is to make a really simple ruleset and, ... Pass in traffic from the Internet to the services on the firewall and ... At this point you can test connectivity from an external ... Pass in traffic from the LAN to the services on the firewall and keep ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ?
    ... That would then block all packets on all interfaces, until a ruleset is ... resolution over network), you'd need to first load a simpler temporary ... Having a firewall open for half a second (is it ... If you are to protect your company network or your customers network, ...
    (FreeBSD-Security)
  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... are rules to control access to the public internet from LAN users. ... Firewall Rule Set not allowing access to DNS servers? ... There are many ways in which your ruleset might break. ...
    (freebsd-questions)
  • Re: Firewall Best Practices
    ... I say "notices enough to tell anyone", the network behind the firewall might ... If you cannot figure out what a rules does, then study the documentation, ... test the rule or preferably the complete ruleset in an ... ..and keep those logs as long as possible. ...
    (comp.security.firewalls)