'Generic' Firewall Rulesets?

To: debian-security@lists.debian.org
Subject: 'Generic' Firewall Rulesets?
From: Troy Telford <troyt@myrealbox.com>
Date: Sat, 04 Nov 2000 01:07:00 -0700
Message-id: <[🔎] 3A03C3A4.70303@myrealbox.com>

Having looked and not found, I'm asking here:

Is there any place where I can find a general ruleset for a firewall?

And, moreover, while many howto's mention how to specify a rule for aruleset, they do not specify *what* rules are good/bad/ugly, etc.


For instance:

Even though packets coming from an FTP port are allowed (supposedly toallow FTP downloads...), apt-get is unable to function properly.

Moreover, I have no idea what a 'good' ruleset to simply allow FTPrequests from my machine (such as those made by an FTP client on mymachine, apt-get, etc.) are reasonably secure. And, in my case, I haveincoming FTP disabled, but is there a way to block packets at thefirewall (from people requesting FTP services on my computer), whileallowing my FTP requests to go unhindered?

In fact, I couldn't really find any good information on general firewallconstruction. I could find information on how to set a rule for thefirewall; but now I need to find information on *what* kind of rules aregood, and why (and what is bad, and why).

Another Example: From what I understand, all TCP/UDP ports above 1024are 'user' ports, and have no services attatched to them. What kind ofpossible security problems/other risks are involved by having theseports essentially 'open' to the world? What is the tradeoff withclosing them off?

For my particular situation, the computer is connected directly to theinternet on a campus network. I want to be able to have a good 'basic'firewall ruleset that will allow me to do my normal tasks as thoughthere were no firewall active, yet filter out all incoming connectionrequests (such as telnet, ftp, etc.). I'm running kernel 2.4.0-test9; Ihave iptables figured out and can apply rulesets just fine. It'sknowing what rules make sense and what ones don't that I need help on.

I'm more interested in learning how to create a good firewall thansimply having one. (So I can make one from scratch should I ever have aspecific need).


Thanks for any help offered.  I hope I didn't run in too many circles!

-Troy

Reply to:

Follow-Ups:
- Re: 'Generic' Firewall Rulesets?
  - From: mikehaarman <mike@haarman.net>
- Re: 'Generic' Firewall Rulesets?
  - From: Steve Bowman <sbowman@frostwork.net>
- RE: 'Generic' Firewall Rulesets?
  - From: "Jan Martin Mathiassen" <debian@TGR.yi.org>

Prev by Date: Re: nss-ldap security bug
Next by Date: Re: buffer overflow in pine <= 4.21
Previous by thread: Re: nss-ldap security bug
Next by thread: Re: 'Generic' Firewall Rulesets?
Index(es):
- Date
- Thread