Re: firewall critique

To: debian-firewall@lists.debian.org
Subject: Re: firewall critique
From: Ansgar Wiechers <lists@planetcobalt.net>
Date: Thu, 7 May 2009 10:57:35 +0200
Message-id: <[🔎] 20090507085735.GA29336@mail.planetcobalt.net>
In-reply-to: <[🔎] ecfa260c0905061828q64113a18s527cd27f2ee9a5da@mail.gmail.com>
References: <[🔎] ecfa260c0905061828q64113a18s527cd27f2ee9a5da@mail.gmail.com>

On 2009-05-06 Zachary Uram wrote:
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other steps I can take next to further
> increase my security?
> 
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP ;
> iptables -A INPUT -p tcp -m conntrack --ctstate NEW -i eth0 --dport 80
> -j ACCEPT ;
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -j DROP ;
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

If the server is only a web server and you're only worried about inbound
connections, then I'd suggest to just keep the other ports closed (i.e.
don't have any services listening on them) and drop iptables altogether.
Using a packet filter to block inbound traffic is futile if your ports
are already closed. By not using a packet filter you also avoid the risk
of vulnerabilities in the packet filter's code being exploited.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

Reply to:

References:
- firewall critique
  - From: Zachary Uram <netrek@gmail.com>

Prev by Date: Re: firewall critique
Next by Date: Re: firewall critique
Previous by thread: Re: firewall critique
Next by thread: Re: firewall critique
Index(es):
- Date
- Thread