Re: secured server policies

To: debian-firewall@lists.debian.org
Subject: Re: secured server policies
From: daniel <daniel_ccna@yahoo.com.br>
Date: Sat, 08 Nov 2008 21:32:18 +0000
Message-id: <[🔎] 49160562.2050607@yahoo.com.br>
In-reply-to: <[🔎] 20081108223341.GA1927@mail.planetcobalt.net>
References: <5bd2109b0810231733n642d07b6m66e8e4a23041f880@mail.gmail.com> <[🔎] 490B9532.2010306@yahoo.com.br> <[🔎] 20081103133252.GA18928@mail.planetcobalt.net> <[🔎] 4915E268.7060007@yahoo.com.br> <[🔎] 20081108223341.GA1927@mail.planetcobalt.net>

Ansgar Wiechers wrote:
> On 2008-11-08 daniel wrote:
>> Ansgar Wiechers wrote:
>>> On 2008-10-31 daniel wrote:
>>>> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>>>> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> You need TCP for fully functional DNS as well.
>> Why do I need TCP for fully functional DNS?
>> TCP must be used for zone transfers.
> 
> TCP is also used when the response to a name lookup exceeds 512 bytes
> (the size of a UDP packet).
> 
>> In the rule iptables -A INPUT -p udp --sport 53 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT, the module state is not necessary,
>> because it uses UDP, although it works.
>>
>> So, the correct form is:
>> iptables -A INPUT -p udp -j ACCEPT
> 
> Wrong. netfilter does keep track even of UDP connections, so a rule
> checking for state ESTABLISHED,RELATED will match only those packets
> that relate to some other connection. Which usually is what you want at
> that point.
Hummm, I thought that ESTABLISHED,RELATED worked with SYN, SYN/ACK, etc...
Please, do you know where do I learn more about that?

> 

[...]
>>>> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
>>>> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
>>> Making rules too specific will adversely affect maintenance.
>> I agree with you. But I think if a process on that host (i.e. trojan
>> horse on the door 12345) tries to connect to an external host, it will
>> not work.
>> Is it correct?
> 
> To a degree. First of all: when a trojan horse is running on your
> system, your security is already compromised and you should immediately
> take the box off the 'net, investigate how the incident happened, and
> then reinstall the system.
> 
> That said, yes, with those rules a process probably won't be able to
> connect outbound. However, that's not because of the ports specified
> there, but because the rule in the OUTPUT chain allows only packets of
> already established connections, and the rule in the INPUT chain allows
> only new inbound connections. Of course I'm assuming here that a) no
> other rules in either chain allows packets in or out, and b) the default
> policies for both chains are set to DROP.
> 
> If you're worried about response packets from connections to some
> program listening on port 12345 being allowed by an ESTABLISHED,RELATED
> rule: I'd suggest you rather ask yourself why the connection to port
> 12345 could be established in the first place.
Very good explanation.

Thanks.
> 
> Regards
> Ansgar Wiechers

Reply to:

Follow-Ups:
- Re: secured server policies
  - From: Ansgar Wiechers <lists@planetcobalt.net>

References:
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>
- Re: secured server policies
  - From: Ansgar Wiechers <lists@planetcobalt.net>
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>
- Re: secured server policies
  - From: Ansgar Wiechers <lists@planetcobalt.net>

Prev by Date: Re: secured server policies
Next by Date: Re: secured server policies
Previous by thread: Re: secured server policies
Next by thread: Re: secured server policies
Index(es):
- Date
- Thread