[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default Policy = DROP. Help-me

On 2007-10-27 Pascal Hambourg wrote:
> Ansgar -59cobalt- Wiechers a écrit :
>> On 2007-10-24 Yuri Rodrigues wrote:
>>> I usually browse the Internet, get ssh servers for my network and
>>> get my ssh server when I am in a remote location. But can not access
>>> servers ssh from my server firewall. Somebody help me with that
>>> firewall?
> [...]
>> Ouch. *Never* flush the chains before setting the default policies.
>> Also *never* enable IP forwarding before setting the default
>> policies.
> I guess you mean "before setting default policies to DROP".


>> $iptables -t filter -P INPUT DROP
>> $iptables -t filter -P OUTPUT DROP
>> $iptables -t filter -P FORWARD DROP
>> $iptables -t nat -P PREROUTING ACCEPT
>> $iptables -t nat -P POSTROUTING ACCEPT
>> $iptables -t mangle -P PREROUTING ACCEPT
>> $iptables -t mangle -P POSTROUTING ACCEPT
> What about the other chains in the nat and mangle tables ?

I was being lazy here.

>> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> Don't you forget to accept RELATED,ESTABLISHED traffic in OUTPUT and
> FORWARD and outgoing traffic on the loopback interface ?

Yes, as I already mentioned in a later reply.

>>> #### Protecao contra ping flood ####
>>> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>>> echo "Protecao contra ping flood ......................... [ Ok ]"
>> A limit rule does not protect against ping floods. "ping flood" means
>> that the attacker is sending so much echo-requrests that they consume
>> your entire bandwidth. There's exactly nothing you can do on your
>> firewall to protect you from that.
> Except when you're on a link with asymmetric up/down bandwith such as
> ADSL. If you're on a 128/512 kbit/s link, a 128 kbit/s flood ping is
> not enough to fill your dowstream but enough to fill your upstream. By
> limiting the incoming echo request (and *not any* ICMP type) rate, you
> can limit the outgoing echo reply rate and avoid consume all your
> upstream bandwidth.

A valid point, though probably somewhat theoretical. How often does a
situation where a flood doesn't consume the entire downstream bandwidth
really occur? Please note that I'm not objecting to rate-limiting
incoming ICMP packets (on the contrary). I'm merely saying that unlike
limiting incoming syn packets it won't protect from floods. At least in
most cases.

Ansgar Wiechers
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."

Reply to: