Re: secured server policies

To: debian-firewall@lists.debian.org
Subject: Re: secured server policies
From: Ansgar Wiechers <lists@planetcobalt.net>
Date: Mon, 3 Nov 2008 14:32:52 +0100
Message-id: <[🔎] 20081103133252.GA18928@mail.planetcobalt.net>
In-reply-to: <[🔎] 490B9532.2010306@yahoo.com.br>
References: <5bd2109b0810231733n642d07b6m66e8e4a23041f880@mail.gmail.com> <[🔎] 490B9532.2010306@yahoo.com.br>

On 2008-10-31 daniel wrote:
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

You need TCP for fully functional DNS as well.

You should also allow some ICMP types.

[...]
> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT

What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
Making rules too specific will adversely affect maintenance.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Reply to:

Follow-Ups:
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>

References:
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>

Prev by Date: Problems with Madwifi and Hostapd in Etch
Next by Date: Re: secured server policies
Previous by thread: Re: secured server policies
Next by thread: Re: secured server policies
Index(es):
- Date
- Thread