Re: Clever Firewall Rules, Second Edition

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 09/18/01


Date: Mon, 17 Sep 2001 21:59:57 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: Focus-Linux <focus-linux@securityfocus.com>
Subject: Re: Clever Firewall Rules, Second Edition
Message-ID: <Pine.LNX.4.33L2.0109172154340.3230-100000@feztron.ath.cx>

On Mon, 17 Sep 2001, T.J. Eckleberg (dis)graced my inbox with this:

> Every rule after this that ends with "-j DROP" is pointless. The whole
> idea of a default deny firewall is to set the policy to DROP, and then
> only have rules for datagrams that you want to do something different to
> (ie allow, send icmp_unreacable, etc). This allows the fewest number of
> rules, thus less complexity and easier troubleshooting.

Not necessarily. A lot of the "accept" rules will accept bad packets that
need to be dropped beforehand. If anything is true, it is only the DROP
rules which do not occur before any ACCEPT rules that I can lose.

But don't fret, I'm still refining my firewall.

> I highly recommend the Oreilly book Building Internet Firewalls. Great
> conceptual and practical info, plus the newest edition was published
> within the last year so it's pretty current.

I'll look into it. Right now I'm in the middle of Hacking Linux Exposed,
which is a good security book so far. It focuses more on application-layer
hardening though, I haven't seen much mention of firewalls so far.

-- 
Rob 'Feztaa' Park
fezziker@home.com
ICQ#: 49781692
:wq!



Relevant Pages

  • Re: Clever Firewall Rules, Second Edition
    ... Clever Firewall Rules, Second Edition ... >>Should the firewall fail, for whatever reason, we are left with a ... I highly recommend the Oreilly book Building Internet Firewalls. ...
    (Focus-Linux)
  • Re: [fw-wiz] httport 3snf
    ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
    (Firewall-Wizards)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: Questions About Windows Firewall and Domain Policy Enforcement
    ... Can you please provide me with more detail with what you mean by connecting ... configure the firewall, namely group policy, net shell scripts, manual ... You can do this through group policy or a login script. ... > as there is no Standard Profile configured. ...
    (microsoft.public.windows.group_policy)
  • Re: Questions About Windows Firewall and Domain Policy Enforcement
    ... Can you please provide me with more detail with what you mean by connecting ... configure the firewall, namely group policy, net shell scripts, manual ... You can do this through group policy or a login script. ... > as there is no Standard Profile configured. ...
    (microsoft.public.win2000.group_policy)