Re: your mail

To: debian-firewall@lists.debian.org
Subject: Re: your mail
From: Michael Wood <wood@kingsley.co.za>
Date: Thu, 28 Jun 2001 12:17:32 +0200
Message-id: <20010628121732.C12029@lion.kingsley.co.za>
Mail-followup-to: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
In-reply-to: <20010628120244.B28593@localhost>; from raffaelf@ieb.hu on Thu, Jun 28, 2001 at 12:02:44PM +0200
References: <014801c0ff9c$38b2d900$ad0110ac@cybernet> <20010628085049.F9693@lion.kingsley.co.za> <20010628120244.B28593@localhost>

Hi

On Thu, Jun 28, 2001 at 12:02:44PM +0200, Raffael Ferenc wrote:
> On Thu, Jun 28, 2001 at 08:50:49AM +0200, Michael Wood wrote:
> 
[snip]
> > e.g. Assuming you're using kernel 2.2.x here's a very simple and
> > very open firewall configuration:
> > 
> > # define constants
> > ABUSER=192.168.0.123/32
> > MAILSERVER=10.0.0.1/32
> > 
> > # set the default policy
> > ipchains -P input ACCEPT
> > ipchains -P forward ACCEPT
> > ipchains -P output ACCEPT
> 
> I suggest ACCEPT as the default policy may become extremely
> dangerous if the firewall script doesn't run completely. I'd
> say that default policy should be DENY or REJECT, and the
[...]

Well, as I said, they guy has a router with NO firewalling at
the moment, so this script was just "a very simple and very
open" firewall script.  i.e. it's not really meant to do
anything other than stop one person from using anything other
than e-mail as long as they don't change their IP address or
something.

Your point about leaving the firewall completely open if the
script doesn't finish is a good one.  (It would be nonsense if
the policy was DENY or REJECT, though :)

I would normally recommend that the policy be DENY or REJECT,
but in this case it's much easier to leave it as ACCEPT and add
a rule or two to block the abuser than try to find out exactly
all the protocols that need to be allowed and allow them all
individually or get him to install proxies for everything.

So, if the default policy is going to be ACCEPT, I suppose you
should do this:

	Set policy to DENY
	Clear old rules
	Delete old chains
	Set up rules you want
	Set policy to ACCEPT

If the policy is going to be DENY (or REJECT) just leave out the
last bit (i.e. don't set policy to ACCEPT.)

This way, if the script doesn't finish, the default will be
DENY.

[...]
> following few lines should be placed before the default
> policies.
> 
> > # clear old rules
> > ipchains -F
> > ipchains -X
[snip]

No, unless your policy is ACCEPT.

If your policy is going to be DENY (but isn't yet) and you clear
all the rules, you have a completely open firewall until you do
set the policy, so there's a small window when you don't have a
firewall (unless you never run the script with the interfaces
already up.)

> Just another remark: there's a -l option in ipchains. It is a
> good idea to log specific attempts (unprivport attacks). This
> would look like this:
> 
> ipchains -A input -p tcp -s any/0 1024:65535 -d $YOURSERVER 1024:65535 -j DENY -l

True.  But if you want to monitor things like this you'll most
likely want a much better firewall script than the one I
suggested :)

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

Follow-Ups:
- Re: your mail
  - From: Raffael Ferenc <raffaelf@ieb.hu>

References:
- [no subject]
  - From: "Abu H R" <abu@nirwanalestari.com>
- Re: your mail
  - From: Michael Wood <wood@kingsley.co.za>
- Re: your mail
  - From: Raffael Ferenc <raffaelf@ieb.hu>

Prev by Date: Re: How do I surely know I'm connected ?
Next by Date: Re: your mail
Previous by thread: Re: your mail
Next by thread: Re: your mail
Index(es):
- Date
- Thread