Re: Default Policy = DROP. Help-me

To: debian-firewall@lists.debian.org
Subject: Re: Default Policy = DROP. Help-me
From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Date: Thu, 25 Oct 2007 20:13:27 +0200
Message-id: <[🔎] 20071025181327.GE21200@mail.planetcobalt.net>
In-reply-to: <[🔎] 4720C4AD.3060906@gmail.com>
References: <[🔎] 471F8774.2070204@gmail.com> <[🔎] 20071024193227.GF32552@localhost> <[🔎] 20071025121043.GC18879@mail.planetcobalt.net> <[🔎] 20071025132158.GA25666@localhost> <[🔎] 20071025133720.GA20426@mail.planetcobalt.net> <[🔎] 20071025145441.GC25666@localhost> <[🔎] 20071025152823.GC20698@mail.planetcobalt.net> <[🔎] 20071025154117.GD25666@localhost> <[🔎] 20071025160138.GA21200@mail.planetcobalt.net> <[🔎] 4720C4AD.3060906@gmail.com>

On 2007-10-25 Yuri Rodrigues wrote:
> $iptables -A FORWARD -i $internet -o $intranet -p tcp --dport 4899 -m 
> state --state NEW -j ACCEPT
> $iptables -A FORWARD -i $intranet -o $internet -p tcp --sport 4899 -m 
> state --state NEW -j ACCEPT

Ummm... why are you accepting NEW connections with source port 4899?

[...]
> $iptables -A INPUT -p tcp --dport 22 -i $intranet -m state --state NEW 
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $intranet -m state --state NEW  
> -j ACCEPT
> $iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
> $iptables -A FORWARD -p tcp --sport 22 -m state --state NEW -j ACCEPT
> ## FIREWALL 2 INTERNET
> $iptables -A INPUT -p tcp --sport 22 -i $internet -m state --state NEW 
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW 
> -j ACCEPT
> ## INTERNET 2 FIREWALL
> $iptables -A INPUT -p tcp --dport 22 -i $internet -m state --state NEW 
> -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $internet -m state --state NEW 
> -j ACCEPT
> ## FIREWALL 2 LAN
> $iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW 
> -j ACCEPT
> $iptables -A INPUT -p tcp --sport 22 -i $intranet -m state --state NEW 
> -j ACCEPT

Same here for source port 22.

Also, if your firewall has only these two interfaces, you may as well
simplify these two rules:

  $iptables -A OUTPUT -p tcp --dport 22 -o $internet -m state --state NEW \
    -j ACCEPT
  $iptables -A OUTPUT -p tcp --dport 22 -o $intranet -m state --state NEW \
    -j ACCEPT

to a single rule:

  $iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

[...]
> $iptables -A FORWARD -i $intranet -p tcp --dport 80 -j ACCEPT
> $iptables -A FORWARD -i $internet -p tcp --sport 80 -j ACCEPT

What I said before applies to all ports, not just 22/tcp, y'know. You
don't need (nor do you want) a --sport rule.

[...]
> #### ICMP Limit ####
> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT

Again, 1 packet per second is awfully low. With a setting that low, no
more than one host will be able to ping your server at any given time.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Reply to:

References:
- Re: Default Policy = DROP. Help-me
  - From: Yuri Rodrigues <yurirbraz@gmail.com>
- Re: Default Policy = DROP. Help-me
  - From: Paolo <oopla@users.sf.net>
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Default Policy = DROP. Help-me
  - From: Paolo <oopla@users.sf.net>
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Default Policy = DROP. Help-me
  - From: Paolo <oopla@users.sf.net>
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Default Policy = DROP. Help-me
  - From: Paolo <oopla@users.sf.net>
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Default Policy = DROP. Help-me
  - From: Yuri Rodrigues <yurirbraz@gmail.com>

Prev by Date: Re: Default Policy = DROP. Help-me
Next by Date: Re: Default Policy = DROP. Help-me
Previous by thread: Re: Default Policy = DROP. Help-me
Next by thread: Re: Default Policy = DROP. Help-me
Index(es):
- Date
- Thread