Re: is this a secure iptables?
- From: Jens Thiele <karme@xxxxxxxxxx>
- Date: Fri, 22 Feb 2008 00:13:21 +0100
elh.maayan@xxxxxxxxx writes:
On Feb 20, 7:14 pm, goarilla <"kevin DOT paulus AT skynet DOT be">
wrote:
correction: if you enable NBT over tcp/ip you can close down
port 445 as well ...
thanks, other then that, it looks ok?
I did not really look at your rules. But if you use connection tracking
you might wish to drop invalid packets first (see man
iptables). Additionally if you don't use ipv6, disable it. If you use it
or don't want to disable it you might wish to to use ip6tables.
The safest bet is to have only processes listening you really need
(maybe bind to specific address/localhost - check with netstat and also
use the access restrictions provided by those processes).
Read some more documentation (especially about connection tracking) and
maybe take a look at what the others do, f.e. there are some helpers out
there to create your rules. (maybe shorewall)
Last but not least you can use tools like nmap to test your rules.
After a quick look at your rules:
- I don't really understand whats the intent of your "okay" chain.
- to detect problems it is often useful to log the packets you drop
(maybe rate limited)
- don't accept packets with local addresses from external interfaces
(or generally don't accept packets with source addresses you don't
expect on that interface)
Hope that helps
PS: don't overestimate the effect of firewall rules for overall security
.
- References:
- is this a secure iptables?
- From: elh . maayan
- Re: is this a secure iptables?
- From: goarilla
- Re: is this a secure iptables?
- From: elh . maayan
- is this a secure iptables?
- Prev by Date: Re: is this a secure iptables?
- Next by Date: Re: API to collect some unique IDs
- Previous by thread: Re: is this a secure iptables?
- Next by thread: Re: ADVERT: Secure comms
- Index(es):
Relevant Pages
|
|
