[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages and signatures

Hi *, 

On Fri, Feb 02, 2001 at 12:01:49PM +0100, Michael Neuffer wrote:
> How well are they firewalled, did they check for security breaches
> before compiling and uploading the packages ?

Nice question. And, of course, not every developer is a security expert.
For example I am using a server running Debian to connect to the 
Internet by dialup IP. It's not that easy to break into that system
given that it has a dynamically assigned IP but anyway: What should I
setup as a firewall for my local net?

I think we should add a sane ipchains config to the developers 
reference so that developer machines are save from network attacks. Here
is what I have but I am not entirely sure it is safe:

#! /bin/sh
# Firewall Setup for crypton


case "$1" in
	echo -n "Configuring firewall: localnet"
	echo -n ", localnet"
	ipchains -F input
	# Make sure loopback packets are only received via iface lo
	ipchains -A input -s -i lo -j ACCEPT
	ipchains -A input -s crypton -i lo -j ACCEPT
	ipchains -A input -s -j DENY

	# Allow anything to the local net given it comes from the right
	# interface
	ipchains -A input -s -i eth0 -j ACCEPT
	ipchains -A input -s -j DENY

	echo -n ", internet"
	# Allow some ports from the hostile internet
	for port in ssh saft auth; do
		ipchains -A input -p tcp -d 0/0 $port -j ACCEPT
	# Block some high ports from outside access
	for port in 3128 2049 fax hylafax; do
		ipchains -A input -p tcp -d 0/0 $port -j REJECT
	# Accept the other high ports (for ftp etc.)
	ipchains -A input -p tcp -d 0/0 1024:65535 -j ACCEPT

	# Block UDP on privileged ports and allow on all others
	ipchains -A input -p udp -d 0/0 0:1023 -j REJECT
	ipchains -A input -p udp -d 0/0 1024:65535 -j ACCEPT

	# Allow icmp (XXX: Is there anything but DoS attacks via icmp?)
	ipchains -A input -p icmp -j ACCEPT

	# Reject anything else
	ipchains -P input REJECT
	echo .
	echo -n "Shutting down firewall: policy"
	ipchains -P input ACCEPT
	echo -n ", rules"
	ipchains -F input
	echo .

	#	If the "reload" option is implemented, move the "force-reload"
	#	option to the "reload" entry above. If not, "force-reload" is
	#	just the same as "restart".
	$0 stop
	$0 start
	echo "Usage: $0 {start|stop|restart|force-reload}" >&2
	exit 1

exit 0

For example I have no idea how to configure the forwarding chain so that
masquerading still works but nothing is ever forwarded from outside into
my local network.



Attachment: pgpwk8zMuJYBF.pgp
Description: PGP signature

Reply to: