Hi *,
On Fri, Feb 02, 2001 at 12:01:49PM +0100, Michael Neuffer wrote:
> How well are they firewalled, did they check for security breaches
> before compiling and uploading the packages ?
Nice question. And, of course, not every developer is a security expert.
For example I am using a server running Debian to connect to the
Internet by dialup IP. It's not that easy to break into that system
given that it has a dynamically assigned IP but anyway: What should I
setup as a firewall for my local net?
I think we should add a sane ipchains config to the developers
reference so that developer machines are save from network attacks. Here
is what I have but I am not entirely sure it is safe:
#! /bin/sh
#
# Firewall Setup for crypton
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
case "$1" in
start)
echo -n "Configuring firewall: localnet"
echo -n ", localnet"
ipchains -F input
# Make sure loopback packets are only received via iface lo
ipchains -A input -s 127.0.0.0/8 -i lo -j ACCEPT
ipchains -A input -s crypton -i lo -j ACCEPT
ipchains -A input -s 127.0.0.0/8 -j DENY
# Allow anything to the local net given it comes from the right
# interface
ipchains -A input -s 192.168.2.0/24 -i eth0 -j ACCEPT
ipchains -A input -s 192.168.2.0/24 -j DENY
echo -n ", internet"
# Allow some ports from the hostile internet
for port in ssh saft auth; do
ipchains -A input -p tcp -d 0/0 $port -j ACCEPT
done
# Block some high ports from outside access
for port in 3128 2049 fax hylafax; do
ipchains -A input -p tcp -d 0/0 $port -j REJECT
done
# Accept the other high ports (for ftp etc.)
ipchains -A input -p tcp -d 0/0 1024:65535 -j ACCEPT
# Block UDP on privileged ports and allow on all others
ipchains -A input -p udp -d 0/0 0:1023 -j REJECT
ipchains -A input -p udp -d 0/0 1024:65535 -j ACCEPT
# Allow icmp (XXX: Is there anything but DoS attacks via icmp?)
ipchains -A input -p icmp -j ACCEPT
# Reject anything else
ipchains -P input REJECT
echo .
;;
stop)
echo -n "Shutting down firewall: policy"
ipchains -P input ACCEPT
echo -n ", rules"
ipchains -F input
echo .
;;
restart|force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
For example I have no idea how to configure the forwarding chain so that
masquerading still works but nothing is ever forwarded from outside into
my local network.
Thanks
Torsten
Attachment:
pgpSJyZywO873.pgp
Description: PGP signature