Re: Building a sound firewall...
From: DD (dd2@nospam.eircom.net)Date: 11/04/02
- Next message: lee: "update to using linux for security at work??"
- Previous message: dwij: "md5 and crypt relations???"
- In reply to: David Means: "Re: Building a sound firewall..."
- Next in thread: Fredderic: "Re: Building a sound firewall..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "DD" <dd2@nospam.eircom.net> Date: Mon, 4 Nov 2002 12:08:56 -0000
iptables is very powerful and in most cases a lot of the facilities are not
needed (especially output filtering).
Depending on how specific you want your firewall rules to be you may or may
not need many features.
A suggested way of looking at your firewall configuration is as follows:
1. set default for INPUT, FORWARD, OUTPUT to DROP
2. now decide what external services (e.g DNS, SMTP, HTTP, HTTPS, TCP, SSH,
ping (and other ICMP)) you will need to access and add rules to allow their
replies through to you (you will need to use the state matching feature to
only allow replies to your connections)
3. decide if you want to filter outgoing packets or let everything out. I
filter outgoing packets to match my input rules so that if my box is hacked
and some malware is trying to send out packets I'll detect and stop it. If
you do OUTPUT filtering remember that the state of your connections is NEW
(while in the input rules the state should not be).
3. determine if you need forwarding (i.e. your box is acting as a router)
and add rules to the FORWARD chain (which may involve masquerading or NAT
rules)
4. at the end of each chain of rules (INPUT, OUTPUT, FORWARD) add a rule to
log packets so that you have a record of packets that your firewall has
rejected a packet.
This is a very crude explanation and undoubtedly I've left out important
details. The iptables how-to is a great source of information. See
www.linuxdoc.org
Hope this helps,
Dermot.
"David Means" <dmeans@the-means.net> wrote in message
news:pan.2002.11.01.21.14.25.951331.1758@the-means.net...
> On Wed, 30 Oct 2002 20:38:33 -0500, Warren E Bullock III wrote:
>
> > I have just started working with ipchains and eventually plan to migrate
> > to iptables. The problem that I am having is this: How does one know
> > what to filter out? Is there a resource that provides theories and
> > methods to model against? One method that I am thinking about following
> > is one where I deny all packets coming from the eth0 interface and only
> > allow the lo interface. As services come up that I need to use than I
> > will accept packets for them. Any suggestions? Also is it advisable to
> > just use the ipchains-save command to append new rules or can I just
> > edit the ipchains file directly?
> >
> > -Warren Bullock III
> > wbullock@twcny.rr.com
>
> Why worry about what to filter out, when all you need to do is worry
> about what filters in?
>
> Configure your firewall's default action to deny. Then add rules to
> allow the services you're interested in. The O'Rilley book, "Linux
> Firewalls" has many of the needed information for such a configuration.
>
> David
>
>
- Next message: lee: "update to using linux for security at work??"
- Previous message: dwij: "md5 and crypt relations???"
- In reply to: David Means: "Re: Building a sound firewall..."
- Next in thread: Fredderic: "Re: Building a sound firewall..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
