Re: secured server policies
Ansgar Wiechers wrote:
> On 2008-10-31 daniel wrote:
>> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You need TCP for fully functional DNS as well.
Why do I need TCP for fully functional DNS?
TCP must be used for zone transfers.
See --> http://www.freesoft.org/CIE/Topics/77.htm
In the rule iptables -A INPUT -p udp --sport 53 -m state --state
ESTABLISHED,RELATED -j ACCEPT, the module state is not necessary,
because it uses UDP, although it works.
So, the correct form is:
iptables -A INPUT -p udp -j ACCEPT
>
> You should also allow some ICMP types.
I think so. What ICMP types would you set?
>
> [...]
>> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
>> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
> Making rules too specific will adversely affect maintenance.
I agree with you. But I think if a process on that host (i.e. trojan
horse on the door 12345) tries to connect to an external host, it will
not work.
Is it correct?
>
> Regards
> Ansgar Wiechers
I'm not an expert. :)
I'm sorry, my English is not good...
Regards
Daniel.
Reply to: