Re: iptables & tcp wrappers

From: TJ Easter (tjeaster_at_gmail.com)
Date: 10/11/04

  • Next message: Ben Nelson: "Idle session logout"
    Date: Mon, 11 Oct 2004 14:15:28 -0400
    To: focus-linux@securityfocus.com, bugtraq@planetcobalt.net
    
    

    On Mon, 4 Oct 2004 00:06:35 +0200, Ansgar -59cobalt- Wiechers
    <bugtraq@planetcobalt.net> wrote:
    > On 2004-09-28 TJ Easter wrote:
    > > I've found it quite helpful to create a shell script to load the
    > > firewall rules. The first line of the script blows away all rules
    > > (iptables -F), then it proceeds to load the rules below that.
    >
    > The first line(s) should define the default policy (most likely DROP),
    > before flushing the chains. Otherwise the box may be open until the
    > rules are defined.
    >
    >
    >
    > Regards
    > Ansgar Wiechers
    > --
    > "Those who would give up liberty for a little temporary safety
    > deserve neither liberty nor safety, and will lose both."
    > --Benjamin Franklin
    >

    Ansgar,
        The reason I chose to load allow rules, followed by an explicit
    deny all as opposed to a deny policy is as for simplicity. When you
    issue "iptables -F" on the command line, you get the expected "allow
    all" behavior instead of having to flush *and* reset the policy.

    Unless you have a pretty hefty ruleset, the window of opportunity
    would be very small. I have since closed this window while still
    keeping the expected "allow all" behavior when flushing the rules.
    The first rule is to set the policy to DROP, load all rules, then
    after the explicit "deny all" rule, set the policy back to ACCEPT.

    Again, the script is available at http://tje.ssllink.net/firewall.tar.gz .

    Let me know if you find any issue with this behavior.

    Regards,
    TJ Easter

    -- 
    "Television is not an education."
    http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E
    

  • Next message: Ben Nelson: "Idle session logout"

    Relevant Pages

    • Re: LSM conversion to static interface
      ... effective only after loading policy, ... as well first load a security module without making the system insecure. ... to have multiple "root" users with unique UIDs. ... Policy is dead simple since it is based on UIDs. ...
      (Linux-Kernel)
    • Re: Memory: By Slot
      ... > Clients will load new file at their next computer policy download & ... > (Actually they don't load the file, ... > into a wmi policy for them). ... > At the hardware inventory after they received the policy the inventory ...
      (microsoft.public.sms.inventory)
    • Re: Memory: By Slot
      ... Clients will load new file at their next computer policy download & ... At the hardware inventory after they received the policy the inventory ...
      (microsoft.public.sms.inventory)
    • Re: script to modify ntuser.bat of restricted user
      ... Not possible with login script, ... have the rights to modify the policy keys that intend to control it. ... > I need it to load the ntuser.dat to HKU for the user logging int hen ...
      (microsoft.public.windowsxp.security_admin)
    • Re: How to run shell script in 32 bit mode on 64 bit architecture
      ... So when i will start any shell script, ... shell script new process will be created and that process wil run in ... 64 bit and it wil also try to load libabc.so file,but libabc.so file ... This is not working on Red hat Operating system. ...
      (comp.unix.shell)