Re: home firewall philosophy govering outgoing traffic
- To: debian-firewall@lists.debian.org
- Subject: Re: home firewall philosophy govering outgoing traffic
- From: Robert Davies <Rob_Davies@ntlworld.com>
- Date: Fri, 15 Jun 2001 19:19:29 +0100
- Message-id: <01061519192900.04000@linux>
- In-reply-to: <4.3.2.7.2.20010615094643.0397ed00@10.10.40.54>
- References: <4.3.2.7.2.20010615094643.0397ed00@10.10.40.54>
On Friday 15 June 2001 17:56, Eric N. Valor wrote:
> At 07:03 AM 6/15/2001 -0500, Bryan Walton wrote:
> Although a couple of folks have previously advised that a default ACCEPT
> policy on the output chain is "better", I tend to disagree. Of course,
> it's hard to argue against having a default DENY policy on the
> input/forward chains, but the reason for having that on the output is to
> increase your awareness of anything suspicious going on. For instance, I
> had a user-administered system sitting outside our firewall come up with an
> IRC robot due to a DNS-based crack. Of course, port 53 was allowed into
> the system so it could make DNS queries.
A reason to use forwarding and only permit UDP replies from those DNS server
systems. A home system is better off, not querying root servers, etc,
especially if it's on dial up.
> However, if I'd suddenly seen
> port 6667 traffic trying to leave the system (the usual IRC port) I'd have
> known something funny was going on. Only after the box was turned into
> skript-kiddie scanner and I received a few polite notifications did I
> realize there was a problem and take steps to rectify.
>
> Yes, having a default DENY on the output chain is a bit more work, but it
> also allows you to do a daily audit of possible problems. It all depends
> on your determined security stance.
Hang on, unless I'm missing something here, what does this really buy you?
1) There's default deny on input and forward chain
2) You block incoming tcp connections, except services which you are
permitting
3) You block udp packets accept DNS, NTP that you need
Real world protocols, to do anything useful, need replies, you are going to
have to alter input and/or forwarding rules anyway to allow answer packets
back, for new services. So your logs ought to show unusual activity on that
side, responding to the outgoing packets.
Yes a permissive output can allow UDP packets off to a info gathering server.
But any attacker could just as easily use a commonly allowed protocol for
the same purpose eg) 'domain' destination port 53 to look like a DNS query,
which I would suggest offers much higher probability of success, so what
extra security are you really gaining here?
For high security of internal machines, using a private network and only
doing NAT or masquerading on a few protocols, is surely more effective, it
prevents most direct connections, and enforces use of application level
gateways.
So are my assumptions innacurate? If not what real benefit does a policy of
deny on the output chain have for a home system (not commercial firewall
installation)?
Rob
Reply to: