Re: IPtables bash script

To: Ralph Sanchez <rwsanchez3@gmail.com>, debian-firewall@lists.debian.org
Subject: Re: IPtables bash script
From: Einhard Leichtfuß <el@respiranto.de>
Date: Mon, 23 May 2016 23:20:17 +0200
Message-id: <[🔎] 57437411.9000803@respiranto.de>
In-reply-to: <[🔎] CAJJ2v1Vr=N926sUuJ18aY6mg7fR4HOw8EVx50PTcP3vm52WAEQ@mail.gmail.com>
References: <[🔎] CAJJ2v1W43WtW=emKfHpK=xMEhcwmr6HDmV+1dqHFyBOz=deDDw@mail.gmail.com> <[🔎] 57434042.9030203@respiranto.de> <CAJJ2v1V5Kn=4WdVmKFW0TiEkUcJGunQusUac2jL82ky5zhTh-A@mail.gmail.com> <[🔎] 57436483.7080909@respiranto.de> <[🔎] CAJJ2v1Vr=N926sUuJ18aY6mg7fR4HOw8EVx50PTcP3vm52WAEQ@mail.gmail.com>

On 2016-05-23 22:32, Ralph Sanchez wrote:
> On Mon, May 23, 2016 at 4:13 PM,  <deb023@respiranto.de> wrote:
>> On 2016-05-23 19:54, Ralph Sanchez wrote:
>>> Yes, this is a personal laptop. If you notice, I have default POLICY
>>> as DROP, which means if I don't accept on ports 80 and 443 I can't
>>> accept HTTPS and HTTP, correct? I'm still learning how all this works,
>>> but that's what it seemed to me and was explained in other guides and
>>> tutorials I needed to do. And if I don't ACCEPT there, i dont get any
>>> web pages whatsoever so.
>> Whenever you perform an HTTP(S) request, the response should be treated
>> as RELATED, hence allowing all RELATED inbound traffic should suffice.
> 
> So, would it be better to not based any outgoing connections of
> stateful connections and simply just allow it via port, since either
> way the port is doing to allow both wanted traffic and possible
> subversion, if malicious software passed the input? Or maybe put the
> 443 ACCEPT before the stateful filtering, and only allow established
> state?
As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT
(except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
> 
> 
>>> Thanks for the Advice on NEW, I haven't seen much said about it so
>>> I'll take that advice and just enable RELATED as well, considering
>>> that solves the biggest problem I had as far as still accessing the
>>> web.
>>>
>>> And as far as blocking outbound, I just don't see any reason to allow
>>> any more data in or out at any moment then is absolutely needed, and
>>> it should help mitigate some malicious software calling home even if
>>> it does get through into my system.
>> It could still connect via 80,443. However, you are right, your setup
>> will block those malicious pieces of software, that do not try to use
>> those (and that do not gain root rights).
> 
> Yeah, i wasn't sure whether i should leave those options in or just go
> off stateful...see previous statement.  Also, if something gain root
> rights in my system, then I've got more problems then a faulty
> firewall.
> 
>>> Thanks for the reading, that's where I'm heading now : )
>

Reply to:

Follow-Ups:
- Re: IPtables bash script
  - From: Ralph Sanchez <rwsanchez3@gmail.com>

References:
- IPtables bash script
  - From: Ralph Sanchez <rwsanchez3@gmail.com>
- Re: IPtables bash script
  - From: deb023@respiranto.de
- Re: IPtables bash script
  - From: deb023@respiranto.de
- Re: IPtables bash script
  - From: Ralph Sanchez <rwsanchez3@gmail.com>

Prev by Date: Re: IPtables bash script
Next by Date: Re: IPtables bash script
Previous by thread: Re: IPtables bash script
Next by thread: Re: IPtables bash script
Index(es):
- Date
- Thread