Re: iptables udp and output
From: /dev/rob0 (rob0_at_gmx.co.uk)
Date: 01/14/04
- Next message: Tim Haynes: "Re: Please help,,,execute chmod -R o-r / by mistake as a root user."
- Previous message: filgworth: "Re: Please help,,,execute chmod -R o-r / by mistake as a root user."
- In reply to: charly: "Re: iptables udp and output"
- Next in thread: Noi: "Re: iptables udp and output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jan 2004 13:05:52 -0800
In article <400578c5$0$29076$636a55ce@news.free.fr>, charly wrote:
>>>INTERNET_SERVICES="25,110,119"
>>
>> SMTP, POP3 and NNTP ... open to the outside?
> Hu, not really : I think i've messed up there :) the goal si to be
> able to reach then in the output chain
If your machine is running no servers at all, providing NO services to
the outside world, you should not have ANY of these open ports. There is
a short and simple example which does just that in the Packet-Filtering-
HOWTO at www.netfilter.org. Start with that example, and build on as
needed.
>> Most people probably do not need to do filtering on OUTPUT. Why not
>> ACCEPT?
> I prefer to control what is allowed to get out, just in case I got trojanned
Fine in theory, but you're not likely to gain any real security from
this, and you WILL lose a lot of functionality. You cannot send any mail
using your MTA, for one thing. The one account you're allowing out is
the one most likely to be compromised, of course. And IMO that's not a
reasonable fear on GNU/Linux anyway.
>> Your variable names are misleading ... there is no distinction between
>> $INTERNET_SERVICES and $LOCAL_SERVICES. So you're also opening FTP and
>> SSH to the world.
> ftp and ssh are supposed to be open on my machine
Open to whom? If you want to "ftp localhost" (for whatever odd reason)
the "-i lo -j ACCEPT" rule covers that (assuming of course that you are
running a FTP daemon.)
You had both your $INTERNET_SERVICES and $LOCAL_SERVICES open to the
world. To me the variable names imply that the former set should be open
to the world and that the latter should be restricted to local machines.
Then you mentioned in reply that you're doing this for a standalone box,
with a single network connection.
>> You're running a DNS server for your domain? Are you sure you want this
> yes, But i specified the dns ip in my new version :)
Sorry, but the explanation is even less clear than before. :) Are you
talking about your ISP's nameserver IP? If so you'll be getting your
DNS query replies in under your RELATED,ESTABLISHED rule. The rule you
posted lets anyone in the world connect to a DNS server on your machine,
if in fact you are running one, which is what I was asking.
>> really need output filtering?
> I added it for root as well
Depending on your MTA (and if you use it?) you would still not be able
to send mail. I had assumed you're running a MTA because you did open
SMTP in the script you posted. I use postfix, and that's the name of the
user who would try to make connections to foreign SMTP servers.
Letting root out ... I still don't see any security benefit, and you're
still going to have usability issues. IIRC I read that some packet types
can't be traced to a process owner, and those are dropped.
Again I suggest giving up the output filtering. I only use it at
customer sites where the bosses are trying to prevent unmotivated
employess from having Internet access. :) You WANT to have Internet
access, yourself!
-- /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net or put "not-spam" or "/dev/rob0" in Subject header to reply
- Next message: Tim Haynes: "Re: Please help,,,execute chmod -R o-r / by mistake as a root user."
- Previous message: filgworth: "Re: Please help,,,execute chmod -R o-r / by mistake as a root user."
- In reply to: charly: "Re: iptables udp and output"
- Next in thread: Noi: "Re: iptables udp and output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
