[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: home firewall philosophy govering outgoing traffic

At 07:03 AM 6/15/2001 -0500, Bryan Walton wrote:
I am setting up a firewall for home use.  Behind the firewall will only sit
one (maybe two) computers.  My firewall box is running a 2.2.19 kernel with
ipchains.  I have been setting up my ipchains ruleset using Robert Ziegler's
Linux Firewalls book as a guide.  I have two questions:

1) What are people's thoughts on this book?  Are there any mistakes that
people have found?  Any suggestions in the sample rulesets that people might
disagree with?

Dunno, haven't read it...

2) More to the point, Ziegler suggests setting the input, output, and
forward default policies to DENY and then decide what to allow through.  It
has dawned on me that I can make my rules MUCH simpler by setting the output
chain's default policy to ACCEPT and remove all of the output rules from
the script since philosophically I don't have any interest or
desire to limit what my family members do on the net.  As long as I
filter out incoming traffic that I deem dangerous, is there anything to fear
from having the output default policy set to ACCEPT?  Or am I missing
something obvious?

Although a couple of folks have previously advised that a default ACCEPT policy on the output chain is "better", I tend to disagree. Of course, it's hard to argue against having a default DENY policy on the input/forward chains, but the reason for having that on the output is to increase your awareness of anything suspicious going on. For instance, I had a user-administered system sitting outside our firewall come up with an IRC robot due to a DNS-based crack. Of course, port 53 was allowed into the system so it could make DNS queries. However, if I'd suddenly seen port 6667 traffic trying to leave the system (the usual IRC port) I'd have known something funny was going on. Only after the box was turned into skript-kiddie scanner and I received a few polite notifications did I realize there was a problem and take steps to rectify.

Yes, having a default DENY on the output chain is a bit more work, but it also allows you to do a daily audit of possible problems. It all depends on your determined security stance.

Eric N. Valor
Lutris Technologies

- This Space Intentionally Left Blank -

Reply to: