Re: Clever Firewall Rules, Second Edition

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 09/18/01 

Date: Mon, 17 Sep 2001 21:30:21 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: Bugtraq - Focus Linux <focus-linux@securityfocus.com>
Subject: Re: Clever Firewall Rules, Second Edition
Message-ID: <Pine.LNX.4.33L2.0109172115120.2845-100000@feztron.ath.cx>

On Mon, 17 Sep 2001, Pedro Miller Rabinovitch (dis)graced my inbox with this:

> Don't mean to be picky, Rob, but... You're (of course) still
> vulnerable to slow scanning (such in large, widespread, interleaved
> random scans)... Also, I'd think most attackers are out for certain
> ports. But you *are* correct, it *does* reduce a lot your opening for
> scanning. (It's just me -- whenever anyone states something with
> "invulnerable to ANY" or "never fails" I feel itchy. ;) )

Yes, of course, slow scanning can still get me - but honestly, unless the
attacker was dedicated to attacking me specifically, who has the time or
the patience for slow scans like that? Besides, my host is only online
about 6 hours per day, I think I'm safe :)

> >twice. Anybody scanning me would be led to believe that I have ports that
> >randomly flicker between being closed and filtered, which makes no sense,
> >and I find that funny :)
>
> This should be interesting to watch. Mind if I scan you later, show
> it to my kids? ;)) (j/k)

Lol, sure. If I finish answering my email today, I'm going to try to
implement a few rules that I've been thinking about - they'd allow the syn
limiting to take effect, but they'd also filter the closed ports.

> >Another note about these rules: They open me up to a kind of DoS attack.
>
> YES. Quite. Which is the main reason I'd recommend *against* the rules...

I should specify - it's nothing that will harm my system. The problem is,
somebody that is SYN scanning me will hog all the SYN packets that get
accepted, so that other people trying to connect to me won't get through,
which is why I used REJECT for this rule instead of DROP. Since my server
is really low traffic, I'm not terribly worried about that.

In my mind, for my server, obscuring myself from SYN scans is more
important than letting everybody on earth connect to my website every time
they want to.

> That could be done with portsentry-like tools or even a simple
> script, BUT... As always, everytime one raises that issue, I have to
> say -- "watch out for spoofs!". If anyone spoofs a host you need to
> have contact with (think root DNS servers, clients, suppliers),
> you'll ban them.

That is true, but I don't think anybody falls into that category for me,
though.

> >Some simple rules. The first two limit the amount of incoming pings I can
> >receive. That way, I can still be pinged for diagnostic reasons, but I am
> >protected from ping floods. The third simply accepts all other ICMP types,
>
> This is good stuff.

Thanks.

> >* iptables -A INPUT -i eth0 -j DROP
> >
> >I just threw in this rule because it looked like the INPUT table was
> >actually just rejecting unmatched packets, instead of actually dropping
> >them.
>
> The other reason for this rule would be to explicitly log rejects, if
> not configured otherwise.

Yeah, but then anybody who wanted to flood my logs with pointless crap
could FIN scan me over and over and over - and you said you were against
DoS attacks! :) 

-- 
Rob 'Feztaa' Park
fezziker@home.com
ICQ#: 49781692
:wq!