[tlug] iptables - Tools for easy configuration

[Amy & Don Johnson <amydonj@example.com>]

Message: 1
Date: Mon, 02 Jul 2007 21:27:30 +0900
From: "Stephen J. Turnbull" <stephen@example.com>
Subject: [tlug] iptables - Tools for easy configuration
To: Tokyo Linux Users Group <tlug@example.com>
Message-ID: <87abufyor1.fsf@example.com>
Content-Type: text/plain; charset=us-ascii

Amy & Don Johnson writes:
>  > If someone is willing to do a talk about iptables, I would like to hear 
>  > specifics about setting up *outbound* chains in the filter table. There 
>  > is a lot on the web about setting up inbound rules, but I haven't found 
>  > anything good about setting up outbound rules.
>
> Why would you want to do that?  Keep your kids off IRC and pr0n sites?
> (Honest question; such rule sets will be really application-specific.)
>
> As to why you won't find much on this ....  Thing is, in general you
> trust the people *inside* the firewall.  To the extent that you don't
> trust them you're generally more interested in content filters, eg
> spam filters in case one of the PCs on your net gets zombified.
> Because of course you do want people to be able to send legit mail!
>
> Of course, you can limit your kids' PCs to the Disney site and their
> schools' home pages, but that will get tedious rapidly.  And in
> general it's much harder to set up plausible rules for inside going
> out than the other way around.  12 and 13 year olds can learn to set
> up tunnels and proxies for their friends; you'll need to think about
> much more complex rule sets to prevent that.

Here's why it might be wise to constrict outbound traffic as well as 
inbound:

1. marginal returns on time spent might be good - for a little effort 
adding outbound rules you might get better overall security. For 
example, I spent a lot of time getting my inbound rules to work. Right 
now, every packet leaves our computers/network with no restrictions and 
I have spent no effort on considering what should be allowed to leave. 
2. I think "trust no one" is a better policy for people inside the 
firewall than "trust everyone."
3. I remember reading a article a few months ago in Linux Journal who 
said having no outbound restrictions was bad policy. It would take me a 
little time to find the article if you wanted to know who wrote it. 
Anyway, my point is that there is at least one other person in the world 
who thinks time spent on creating outbound rules is not wasted.
4. My last (lame) argument is that everyone criticized Microsoft's first 
attempt at a firewall with service pack 2 on Windows XP because it only 
included outbound restrictions. So if we can criticize the evil empire 
for this "deficiency" maybe it really is a deficiency!

The applications we are currently using include nfs, samba, voip, ssh, 
mail, irc, vmware to run windows, ip printing, and of course, regular 
and ssl web browsing. I would like all of these applications to work 
after I added outbound restrictions. We are already using a spam filter, 
but no content filter on web access. Also, you are right about the 
zombified PCs, if this should happen to one of our machines, I think it 
would be good to make it more difficult for the malware to phone home.

Unfortunately, I can't make the tech meeting on the 14th because I have 
to help someone move, but if someone does give a talk about iptables and 
it includes info about outbound rules, I would like to get a copy of the 
notes, scripts, whatever. どうも

--Don