Re: your mail

To: debian-firewall@lists.debian.org
Subject: Re: your mail
From: Raffael Ferenc <raffaelf@ieb.hu>
Date: Thu, 28 Jun 2001 13:20:35 +0200
Message-id: <20010628132035.A29181@localhost>
Reply-to: raffaelf@ieb.hu
In-reply-to: <20010628121732.C12029@lion.kingsley.co.za>; from wood@kingsley.co.za on Thu, Jun 28, 2001 at 12:17:32PM +0200
References: <014801c0ff9c$38b2d900$ad0110ac@cybernet> <20010628085049.F9693@lion.kingsley.co.za> <20010628120244.B28593@localhost> <20010628121732.C12029@lion.kingsley.co.za>

On Thu, Jun 28, 2001 at 12:17:32PM +0200, Michael Wood wrote:

> Hi
> 
> On Thu, Jun 28, 2001 at 12:02:44PM +0200, Raffael Ferenc wrote:
> > On Thu, Jun 28, 2001 at 08:50:49AM +0200, Michael Wood wrote:
> > 
> [snip]
> > > e.g. Assuming you're using kernel 2.2.x here's a very simple and
> > > very open firewall configuration:
> > > 
> > > # define constants
> > > ABUSER=192.168.0.123/32
> > > MAILSERVER=10.0.0.1/32
> > > 
> > > # set the default policy
> > > ipchains -P input ACCEPT
> > > ipchains -P forward ACCEPT
> > > ipchains -P output ACCEPT
> > 
> > I suggest ACCEPT as the default policy may become extremely
> > dangerous if the firewall script doesn't run completely. I'd
> > say that default policy should be DENY or REJECT, and the
> [...]
> 
> Well, as I said, they guy has a router with NO firewalling at
> the moment, so this script was just "a very simple and very
> open" firewall script.  i.e. it's not really meant to do
> anything other than stop one person from using anything other
> than e-mail as long as they don't change their IP address or
> something.
> 
> Your point about leaving the firewall completely open if the
> script doesn't finish is a good one.  (It would be nonsense if
> the policy was DENY or REJECT, though :)
> 
> I would normally recommend that the policy be DENY or REJECT,
> but in this case it's much easier to leave it as ACCEPT and add
> a rule or two to block the abuser than try to find out exactly
> all the protocols that need to be allowed and allow them all
> individually or get him to install proxies for everything.
> 
> So, if the default policy is going to be ACCEPT, I suppose you
> should do this:
> 
> 	Set policy to DENY
> 	Clear old rules
> 	Delete old chains
> 	Set up rules you want
> 	Set policy to ACCEPT
> 
> If the policy is going to be DENY (or REJECT) just leave out the
> last bit (i.e. don't set policy to ACCEPT.)
> 
> This way, if the script doesn't finish, the default will be
> DENY.
> 
> [...]
> > following few lines should be placed before the default
> > policies.
> > 
> > > # clear old rules
> > > ipchains -F
> > > ipchains -X
> [snip]
> 
> No, unless your policy is ACCEPT.
> 
> If your policy is going to be DENY (but isn't yet) and you clear
> all the rules, you have a completely open firewall until you do
> set the policy, so there's a small window when you don't have a
> firewall (unless you never run the script with the interfaces
> already up.)
> 
> > Just another remark: there's a -l option in ipchains. It is a
> > good idea to log specific attempts (unprivport attacks). This
> > would look like this:
> > 
> > ipchains -A input -p tcp -s any/0 1024:65535 -d $YOURSERVER 1024:65535 -j DENY -l
> 
> True.  But if you want to monitor things like this you'll most
> likely want a much better firewall script than the one I
> suggested :)

That's correct :) But we have to tell the best ideas we have to help others building
a "good" firewall.

Reply to:

Follow-Ups:
- Re: your mail
  - From: Michael Wood <wood@kingsley.co.za>

References:
- [no subject]
  - From: "Abu H R" <abu@nirwanalestari.com>
- Re: your mail
  - From: Michael Wood <wood@kingsley.co.za>
- Re: your mail
  - From: Raffael Ferenc <raffaelf@ieb.hu>
- Re: your mail
  - From: Michael Wood <wood@kingsley.co.za>

Prev by Date: Re: your mail
Next by Date: dmz with 2 isp's how?
Previous by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Date
- Thread