[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Port 80 Open

Ansgar, Paolo, and David,

	Thanks for the help.  I utilized your ideas and ran nmap and
	nothing comes up (I did this from the same host, though).  My
	logs dropped to nil activity after implementing a combo of the
	techniques you three mentioned (also, is it a bad thing if my
	logs aren't writing anything now, or is it that my ports can't
	be "seen"?).  Interestingly (to me), ports 0 and 1 come up as
	closed (from grc.com, I assume because of the set limits that
	make my firewall "adaptive").

> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> You can omit the last one if you're not forwarding packets.

	Only a small minority of people use the forward chain, right?  I
	read somewhere that not even ISPs use port forwarding
	(relaying?).

> Why are you ACCEPTing traffic based on the source address? For new
> outbound connections you should ACCEPT based on destination and state
> NEW, for everything else, you should use an ESTABLISHED,RELATED rule
> just like you do in the INPUT chain.

	Currently, I have OUTPUT accepting NEW,ESTABLISHED,RELATED.  If
	I'm thinking right about what you said Ansgar, the only thing I
	need to worry about in OUTPUT is NEW, so I'm about to change it
	and see what happens.
> 
> Repeating myself: "stealth" is braindead marketing babble invented by
> people who failed to understand TCP/IP for people who fail to understand
> TCP/IP. Your host doesn't magically become "invisible" just because it
> drops packets. TCP/IP doesn't work that way.

	Then why does the site http://www.grc.com keep referring to
	ports as being under stealth?  Are they defining "stealth" in a
	different way?  What does one have to gain by propogating this
	"marketing babble"?

> Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
> is a vital part of IP and required e.g. for troubleshooting connection
> problems. Rather do something like this:
> 
> iptables -N icmp_packets
> # Allow ping, but limit it to 10 requests per second:
> iptables -A icmp_packets -p icmp --icmp-type echo-request \
>   -m state --state NEW -m limit --limit 10/sec -j ACCEPT
> # Allow echo replies (pong) for accepted pings:
> iptables -A icmp_packets -p icmp --icmp-type echo-reply \
>   -m state --state ESTABLISHED -j ACCEPT
> # Allow troubleshooting messages for all established connections:
[...]
> iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
>   -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -j DROP
>
	Thanks for this (above).

> I'd also recommend to REJECT packets rather than simply DROP them, so I
> usually define a DENY chain and put it at the end of the INPUT, OUTPUT
> and FORWARD chains:
> 
> iptables -N DENY
> iptables -A DENY -p tcp -m limit --limit 10/sec -j REJECT \
>   --reject-with tcp-reset
> iptables -A DENY -p udp -m limit --limit 10/sec -j REJECT \
>   --reject-with icmp-port-unreachable
> iptables -A DENY -j DROP

	Thanks again.

-- 
Telly Williams
"Knowledge Is Power"
Reply to: