Re: newbie firewall recommendation

To: Bernd Eckenfels <lists@lina.inka.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: newbie firewall recommendation
From: Richard Cochinos <richard@theory.org>
Date: Wed, 4 Jun 2003 09:48:13 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.44.0306040932320.4541-100000@in.theory.org>
In-reply-to: <[🔎] 20030604060347.GA9653@lina.inka.de>

What I did first was to drop all defaults installed:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Then I edited to allow ports I want open:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

I followed the same guideline for OUTPUT, so my tables look something
like:
iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https

I guess the question now is this sufficient security? I'm only running 3
applications on the server exim, squirrelmail and appache (basically a web
and mail server). nmapping my IP shows:

(The 1542 ports scanned but not shown below are in state: closed)
Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
25/tcp     open        smtp
37/tcp     open        time
80/tcp     open        http
111/tcp    open        sunrpc
113/tcp    open        auth
143/tcp    open        imap2
220/tcp    open        imap3
515/tcp    open        printer
1024/tcp   open        kdm

Which of these should worry about (if any)?


On Wed, 4 Jun 2003, Bernd Eckenfels wrote:

> On Tue, Jun 03, 2003 at 10:37:38PM -0700, Richard Cochinos wrote:
> > This is a very simple server - X hasn't been installed - so any GUI
> > interfaces wont help me. Ideally I want only to open 4 ports 22,25,80 and
> > 443.
>
> Well, you can use "netstat -lpetu" (as root) to see the open ports on the
> system. If ssh, smtp and web are the only open ports, there is actually no
> need for a firewall.
>
> If you want to be sure, nobody can expose additional ports of the system,
> you can use a simple ipchains script with 4+1 accept rules and deny
> everything else. No need for a firewall builder package or anything else to
> protect a host which is no router.
>
> Greetings
> Bernd
> --
>   (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
>  ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
>   o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
> (O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>


 -richard

Reply to:

Follow-Ups:
- Re: newbie firewall recommendation
  - From: Bernd Eckenfels <lists@lina.inka.de>
- Re: newbie firewall recommendation
  - From: Bernd Eckenfels <lists@lina.inka.de>
- Re: newbie firewall recommendation
  - From: Vince Mulhollon <vlm@mulhollon.com>

References:
- Re: newbie firewall recommendation
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Re: Too slow connection
Next by Date: monitorless intall - a newbie question
Previous by thread: Re: newbie firewall recommendation
Next by thread: Re: newbie firewall recommendation
Index(es):
- Date
- Thread