epike on Fri, 27 Dec 2002 11:10:35 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] myfirst fw rules(rev.2)


hi

> I see three problems...
> 
> 1.. The state checks for TCP should probably come after the rest of your 
> rules (if at all.) Having them at the beginning is a BIG security hole. (I 
> know this from first hand experience.)

you mean from this (ordering of my custom fw script):

       ./jondz_fw_simple.sh (JondZ 12/2002): Starting custom firewall...
       ./jondz_fw_simple.sh: initializing chains...
       ./jondz_fw_simple.sh: applying default policies...
       ./jondz_fw_simple.sh: Accepting lo connections...
       ./jondz_fw_simple.sh: Allowing TCP Services...
       ./jondz_fw_simple.sh: Allowing UDP Services...
       ./jondz_fw_simple.sh: allowing some ICMP Connections...

to this:

       ./jondz_fw_simple.sh (JondZ 12/2002): Starting custom firewall...
       ./jondz_fw_simple.sh: initializing chains...
       ./jondz_fw_simple.sh: applying default policies...
       ./jondz_fw_simple.sh: Accepting lo connections...
       ./jondz_fw_simple.sh: Allowing UDP Services...
       ./jondz_fw_simple.sh: allowing some ICMP Connections...
       ./jondz_fw_simple.sh: Allowing TCP Services...

?

> 
> 2.. UDP is stateless. Checking for state is a waste of time. Especially 
> for established or related packets. (It may even error when iptables tries 
> to insert the rule.) The question of allowing UDP at all is open to 
> debate. Some will argue that you shouldn't allow it all. Some will say 
> it allows some services to run faster. That's something you need to 
> decide.

I admit this has confused me -- some firewall scripts i've seen
just says something like:

     iptables -A INPUT .... -p udp --dport 53
     iptables -A INPUT .... -p udp --sport 53

(assuming they want to let in port 53 udp).  

Its confused me since I dont see a reason why the script writer
would assume that the source port of an incoming udp connection
would be 53 also.

I vaguely recall having problems before I put -m state, but I will 
try dropping the -m state clause again and see what happens
(DNS and SAMBA are the ones I use it for).

> 
> 3.. ICMP type 5 should only be allowed from your default gateway. There is
> no need to limit it's usage. In fact, it might cause some problems if you
> do. ICMP type 5 is route discovery. It's primary use is for a router to
> tell your server that another router on the network is the destination for
> the packet it just received. It saves you having to define static routes 
> for the other network segments on every server.

Ok.  

thanks!

epike/jondz


PS I will post back my revised script again later
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug