Hi *, On Fri, Feb 02, 2001 at 12:01:49PM +0100, Michael Neuffer wrote: > How well are they firewalled, did they check for security breaches > before compiling and uploading the packages ? Nice question. And, of course, not every developer is a security expert. For example I am using a server running Debian to connect to the Internet by dialup IP. It's not that easy to break into that system given that it has a dynamically assigned IP but anyway: What should I setup as a firewall for my local net? I think we should add a sane ipchains config to the developers reference so that developer machines are save from network attacks. Here is what I have but I am not entirely sure it is safe: #! /bin/sh # # Firewall Setup for crypton # PATH=/sbin:/bin:/usr/sbin:/usr/bin case "$1" in start) echo -n "Configuring firewall: localnet" echo -n ", localnet" ipchains -F input # Make sure loopback packets are only received via iface lo ipchains -A input -s 127.0.0.0/8 -i lo -j ACCEPT ipchains -A input -s crypton -i lo -j ACCEPT ipchains -A input -s 127.0.0.0/8 -j DENY # Allow anything to the local net given it comes from the right # interface ipchains -A input -s 192.168.2.0/24 -i eth0 -j ACCEPT ipchains -A input -s 192.168.2.0/24 -j DENY echo -n ", internet" # Allow some ports from the hostile internet for port in ssh saft auth; do ipchains -A input -p tcp -d 0/0 $port -j ACCEPT done # Block some high ports from outside access for port in 3128 2049 fax hylafax; do ipchains -A input -p tcp -d 0/0 $port -j REJECT done # Accept the other high ports (for ftp etc.) ipchains -A input -p tcp -d 0/0 1024:65535 -j ACCEPT # Block UDP on privileged ports and allow on all others ipchains -A input -p udp -d 0/0 0:1023 -j REJECT ipchains -A input -p udp -d 0/0 1024:65535 -j ACCEPT # Allow icmp (XXX: Is there anything but DoS attacks via icmp?) ipchains -A input -p icmp -j ACCEPT # Reject anything else ipchains -P input REJECT echo . ;; stop) echo -n "Shutting down firewall: policy" ipchains -P input ACCEPT echo -n ", rules" ipchains -F input echo . ;; restart|force-reload) # # If the "reload" option is implemented, move the "force-reload" # option to the "reload" entry above. If not, "force-reload" is # just the same as "restart". # $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 For example I have no idea how to configure the forwarding chain so that masquerading still works but nothing is ever forwarded from outside into my local network. Thanks Torsten
Attachment:
pgpSJyZywO873.pgp
Description: PGP signature