Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Firewall setting




this firewall looks kind of insecure to me.  Why would you set the default
policies on all three chains to ACCEPT?!  that seems like bad practice..
then specifically denying things... eek.

Usually a firewall will deny all/all by default, and then you tell it
specifically what you want to ALLOW.  Although with ipchains being more of a
packet filter than a firewall, maybe some concessions need to be made.

HOWEVER - all of you doing Linux-as-a-firewall should really go over to the
2.4 kernel and use iptables.  That gives you a real "stateful" firewall, and
iptables even has an almost-identical-to-ipchains commandline syntax.  Plus
iptables can do neat stuff like static NAT, which ipchains cannot do, to my
knowledge.

> -----Original Message-----
> From:	Jonathan Q [SMTP:jq@example.com]
> Sent:	Monday, April 30, 2001 1:24 PM
> To:	tlug@example.com
> Subject:	Re: Firewall setting
> 
> P.S.  This is my /etc/sysconfig/ipchains:
> 
> # Firewall configuration written by lokkit
> # Manual customization of this file is not recommended.
> # Note: ifup-post will punch the current nameservers through the
> #       firewall; such entries will *not* be listed here.
> :input ACCEPT
> :forward ACCEPT
> :output ACCEPT
> -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
> -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
> -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
> -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
> -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
> 
> The first rule allows tcp port 25 (smtp)
> The second allows tcp port 22 (ssh)
> The third probably allows everything on loopback (just a guess,
> I haven't read the docs myself).
> 4 rejects everything <1023 tcp
> 5 rejects 2049 tcp
> 6 rejects everything <1023 udp
> 7 rejects 2049 udp
> 8 rejects 6000-6009 tcp (X uses these ports)
> 9 rejects 7100 tcp (don't know what that is offhand).
> 
> This is the medium security firewalling in Red
> Hat 7.1, plus my customizations to allow 25 and 22.
> 
> These rules operate on a first-match-exits principal,
> so if an ssh connection comes in, all rules after 
> the second one will not be processed.  If an http
> connection comes in, it will get as far as rule 4, 
> which will match it as a reject (80 tcp).  
> 
> Ordering is important; if the rules allowing 22 and 25
> were positioned after rule 4, 22 and 25 would still
> be filtered because the rejectino of 0-10323 tcp would
> come first, 22 and 25 would match, and rule processing
> would exit.
> 
> So if you write your own, the quick and dirty is to put
> your accepts first.  If you anticpate most of your
> traffic to be port 80 tcp (http), put that one ahead of
> port 22.  You should be able to just copy the rule
> allowing 22 or 25 in the ruleset above and change the 
> port to 80 if you want to allow http connections to your
> box.  But do read the docs anyway, and don't believe anything
> I've said here until you've verified it :-)
> 
> Jonathan
> 
> -----------------------------------------------------------------------
> Next Technical Meeting:  Sat, May 12 13:30- 
> Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
> -----------------------------------------------------------------------
> more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links