Re: home firewall philosophy govering outgoing traffic

To: Bryan Walton <walton@berbee.com>, debian-firewall@lists.debian.org
Subject: Re: home firewall philosophy govering outgoing traffic
From: "Eric N. Valor" <eric.valor@lutris.com>
Date: Fri, 15 Jun 2001 09:56:45 -0700
Message-id: <4.3.2.7.2.20010615094643.0397ed00@10.10.40.54>
In-reply-to: <20010615070305.A7458@berbee.com>

At 07:03 AM 6/15/2001 -0500, Bryan Walton wrote:

I am setting up a firewall for home use.  Behind the firewall will only sit
one (maybe two) computers.  My firewall box is running a 2.2.19 kernel with
ipchains.  I have been setting up my ipchains ruleset using Robert Ziegler's
Linux Firewalls book as a guide.  I have two questions:

1) What are people's thoughts on this book?  Are there any mistakes that
people have found?  Any suggestions in the sample rulesets that people might
disagree with?


Dunno, haven't read it...

2) More to the point, Ziegler suggests setting the input, output, and
forward default policies to DENY and then decide what to allow through.  It
has dawned on me that I can make my rules MUCH simpler by setting the output
chain's default policy to ACCEPT and remove all of the output rules from
the script since philosophically I don't have any interest or
desire to limit what my family members do on the net.  As long as I
filter out incoming traffic that I deem dangerous, is there anything to fear
from having the output default policy set to ACCEPT?  Or am I missing
something obvious?

Although a couple of folks have previously advised that a default ACCEPTpolicy on the output chain is "better", I tend to disagree. Of course,it's hard to argue against having a default DENY policy on theinput/forward chains, but the reason for having that on the output is toincrease your awareness of anything suspicious going on. For instance, Ihad a user-administered system sitting outside our firewall come up with anIRC robot due to a DNS-based crack. Of course, port 53 was allowed intothe system so it could make DNS queries. However, if I'd suddenly seenport 6667 traffic trying to leave the system (the usual IRC port) I'd haveknown something funny was going on. Only after the box was turned intoskript-kiddie scanner and I received a few polite notifications did Irealize there was a problem and take steps to rectify.

Yes, having a default DENY on the output chain is a bit more work, but italso allows you to do a daily audit of possible problems. It all dependson your determined security stance.


--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
eric.valor@lutris.com

- This Space Intentionally Left Blank -

Reply to:

Follow-Ups:
- Re: home firewall philosophy govering outgoing traffic
  - From: Mike Furr <furrm@kenyon.edu>
- Re: home firewall philosophy govering outgoing traffic
  - From: Robert Davies <Rob_Davies@ntlworld.com>

References:
- home firewall philosophy govering outgoing traffic
  - From: Bryan Walton <walton@berbee.com>

Prev by Date: Re: home firewall philosophy govering outgoing traffic
Next by Date: Re: home firewall philosophy govering outgoing traffic
Previous by thread: Re: home firewall philosophy govering outgoing traffic
Next by thread: Re: home firewall philosophy govering outgoing traffic
Index(es):
- Date
- Thread