[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

'Generic' Firewall Rulesets?

Having looked and not found, I'm asking here:

Is there any place where I can find a general ruleset for a firewall?

And, moreover, while many howto's mention how to specify a rule for a ruleset, they do not specify *what* rules are good/bad/ugly, etc.

For instance:

Even though packets coming from an FTP port are allowed (supposedly to allow FTP downloads...), apt-get is unable to function properly.

Moreover, I have no idea what a 'good' ruleset to simply allow FTP requests from my machine (such as those made by an FTP client on my machine, apt-get, etc.) are reasonably secure. And, in my case, I have incoming FTP disabled, but is there a way to block packets at the firewall (from people requesting FTP services on my computer), while allowing my FTP requests to go unhindered?

In fact, I couldn't really find any good information on general firewall construction. I could find information on how to set a rule for the firewall; but now I need to find information on *what* kind of rules are good, and why (and what is bad, and why).

Another Example: From what I understand, all TCP/UDP ports above 1024 are 'user' ports, and have no services attatched to them. What kind of possible security problems/other risks are involved by having these ports essentially 'open' to the world? What is the tradeoff with closing them off?

For my particular situation, the computer is connected directly to the internet on a campus network. I want to be able to have a good 'basic' firewall ruleset that will allow me to do my normal tasks as though there were no firewall active, yet filter out all incoming connection requests (such as telnet, ftp, etc.). I'm running kernel 2.4.0-test9; I have iptables figured out and can apply rulesets just fine. It's knowing what rules make sense and what ones don't that I need help on.

I'm more interested in learning how to create a good firewall than simply having one. (So I can make one from scratch should I ever have a specific need).

Thanks for any help offered.  I hope I didn't run in too many circles!


Reply to: