[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPtables bash script



On Mon, May 23, 2016 at 4:13 PM,  <deb023@respiranto.de> wrote:
> On 2016-05-23 19:54, Ralph Sanchez wrote:
>> Yes, this is a personal laptop. If you notice, I have default POLICY
>> as DROP, which means if I don't accept on ports 80 and 443 I can't
>> accept HTTPS and HTTP, correct? I'm still learning how all this works,
>> but that's what it seemed to me and was explained in other guides and
>> tutorials I needed to do. And if I don't ACCEPT there, i dont get any
>> web pages whatsoever so.
>>>   > Whenever you perform an HTTP(S) request, the response should be treated
 >>>  > as RELATED, hence allowing all RELATED inbound traffic should suffice.

So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?


>> Thanks for the Advice on NEW, I haven't seen much said about it so
>> I'll take that advice and just enable RELATED as well, considering
>> that solves the biggest problem I had as far as still accessing the
>> web.
>>
>> And as far as blocking outbound, I just don't see any reason to allow
>> any more data in or out at any moment then is absolutely needed, and
>> it should help mitigate some malicious software calling home even if
>> it does get through into my system.
> It could still connect via 80,443. However, you are right, your setup
> will block those malicious pieces of software, that do not try to use
> those (and that do not gain root rights).

Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement.  Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.

>> Thanks for the reading, that's where I'm heading now : )


Reply to: