Re: [PLUG] myfirst fw rules(rev.2)

epike on Fri, 27 Dec 2002 11:10:35 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] myfirst fw rules(rev.2)

From: epike@isinet.com

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] myfirst fw rules(rev.2)

Date: Fri, 27 Dec 2002 10:55:51 -0500 (EST)

Delivery-date: Fri, 27 Dec 2002 11:10:35 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

hi > I see three problems... > > 1.. The state checks for TCP should probably come after the rest of your > rules (if at all.) Having them at the beginning is a BIG security hole. (I > know this from first hand experience.) you mean from this (ordering of my custom fw script): ./jondz_fw_simple.sh (JondZ 12/2002): Starting custom firewall... ./jondz_fw_simple.sh: initializing chains... ./jondz_fw_simple.sh: applying default policies... ./jondz_fw_simple.sh: Accepting lo connections... ./jondz_fw_simple.sh: Allowing TCP Services... ./jondz_fw_simple.sh: Allowing UDP Services... ./jondz_fw_simple.sh: allowing some ICMP Connections... to this: ./jondz_fw_simple.sh (JondZ 12/2002): Starting custom firewall... ./jondz_fw_simple.sh: initializing chains... ./jondz_fw_simple.sh: applying default policies... ./jondz_fw_simple.sh: Accepting lo connections... ./jondz_fw_simple.sh: Allowing UDP Services... ./jondz_fw_simple.sh: allowing some ICMP Connections... ./jondz_fw_simple.sh: Allowing TCP Services... ? > > 2.. UDP is stateless. Checking for state is a waste of time. Especially > for established or related packets. (It may even error when iptables tries > to insert the rule.) The question of allowing UDP at all is open to > debate. Some will argue that you shouldn't allow it all. Some will say > it allows some services to run faster. That's something you need to > decide. I admit this has confused me -- some firewall scripts i've seen just says something like: iptables -A INPUT .... -p udp --dport 53 iptables -A INPUT .... -p udp --sport 53 (assuming they want to let in port 53 udp). Its confused me since I dont see a reason why the script writer would assume that the source port of an incoming udp connection would be 53 also. I vaguely recall having problems before I put -m state, but I will try dropping the -m state clause again and see what happens (DNS and SAMBA are the ones I use it for). > > 3.. ICMP type 5 should only be allowed from your default gateway. There is > no need to limit it's usage. In fact, it might cause some problems if you > do. ICMP type 5 is route discovery. It's primary use is for a router to > tell your server that another router on the network is the destination for > the packet it just received. It saves you having to define static routes > for the other network segments on every server. Ok. thanks! epike/jondz PS I will post back my revised script again later _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

Re: [PLUG] myfirst fw rules(rev.2)
From: Martin DiViaio <scatterbrained@usermail.com>

Prev by Date: Re: [PLUG] myfirst fw rules(rev.2)

Next by Date: [PLUG] Linux Medical Apps

Previous by thread: Re: [PLUG] myfirst fw rules(rev.2)

Next by thread: Re: [PLUG] myfirst fw rules(rev.2)

Index(es):

Date

Thread