Re: iptables rules : two in one

To: debian-firewall@lists.debian.org
Subject: Re: iptables rules : two in one
From: Franck Joncourt <joncourt_franck@yahoo.co.uk>
Date: Sun, 01 Oct 2006 22:47:04 +0200
Message-id: <[🔎] 45202948.8030601@yahoo.co.uk>
In-reply-to: <[🔎] 45200343.7080306@plouf.fr.eu.org>
References: <451E82E7.5070208@yahoo.co.uk> <002d01c6e4da$5a9622b0$021111ac@pc> <[🔎] 451F8726.9070409@yahoo.co.uk> <[🔎] 45200343.7080306@plouf.fr.eu.org>

Pascal Hambourg wrote:
> Franck Joncourt a écrit :
>> Andrey Kozlov wrote:
>>
>>> with use connection tracking you can define common rules for ongoing
>>> traffic on top of you rule set:
>>>
>>> iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>> and then add specific rules for any required services, e.g.:
>>>
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>>       -d pop.mail.yahoo.co.uk --dport 110 -m state --state NEW -j ACCEPT
>>>
>>> iptables -A OUTPUT -o eth0 -p tcp --sport $UNPRIVPORTS \
>>>       -d pop.1and1.fr --dport 110 -m state --state NEW -j ACCEPT
>>>
>>
>> So it means, I accept both 'established' and 'related' connections
>> from/to any ports.
> 
> Not only any ports but also any protocol, including DNS replies, ICMP
> replies and error notifications... without the need to explicitly allow
> each of them. That's why most stateful filtering setups use these kind
> of rules. I use a slightly modified version of these rules myself (there
> are some RELATED ICMP types I don't want to accept).
> 
>> Then, I allow 'new' connections to port 110 (for
>> pop.1and1.fr and pop.mail.yahoo.co.uk).
> 
> Yes. So instead of setting up rules for original and return trafic, you
> just need to set up one rule for the original traffic.
> 
>> In the end, 'established' or 'related' connections from/to port 4895,
>> for instance, will be accept, as well.
> 
> Only after they have been first accepted as NEW.
> 
>> Unless I am wrong, it is not really interesting in the case I have got a
>> mistake in my firewall, and accept 'new' connections from/to port 4895.
>> I allow more than I should without any reason.
> 
> Why would you have a mistake in your firewall and accept explicitly
> traffic that you don't actually want to accept ?
> 
> 

You are right, there is no reason to have a mistake in my firewall ; I
just pointed out that in this case you only rely on one rule to block
outgoing traffic.
In my config file, I do not trust anything. Therefore, I drop everything
and explicitly allow what I need one by one. So, it makes it a bit messy :(!

I try to understand the rules I use, in order to get something strong ;
I did not see why I should have allowed rules I did not want. But,
according to you, it seems to be enough. In theory, I agree with you.

As I do not want to use stuff like shorewall, firestarter ... I will
take your remarks in count, have a better look at my firewall, and clean
it out.

I thank you again.

-- 
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF  9A3C C490 534E 75C0 89FE

		
___________________________________________________________ 
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html

Reply to:

References:
- Re: iptables rules : two in one
  - From: Franck Joncourt <joncourt_franck@yahoo.co.uk>
- Re: iptables rules : two in one
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: iptables rules : two in one
Next by Date: Port Forward by MAC
Previous by thread: Re: iptables rules : two in one
Next by thread: Port Forward by MAC
Index(es):
- Date
- Thread