Re: 'Generic' Firewall Rulesets?

To: Troy Telford <troyt@myrealbox.com>
Cc: debian-security@lists.debian.org
Subject: Re: 'Generic' Firewall Rulesets?
From: Steve Bowman <sbowman@frostwork.net>
Date: Sat, 4 Nov 2000 02:04:33 -0700
Message-id: <[🔎] 20001104020433.A1667@frostwork.net>
In-reply-to: <[🔎] 3A03C3A4.70303@myrealbox.com>; from troyt@myrealbox.com on Sat, Nov 04, 2000 at 01:07:00AM -0700
References: <[🔎] 3A03C3A4.70303@myrealbox.com>

You may find this less than helpful, but here goes anyway....

On Sat, Nov 04, 2000 at 01:07:00AM -0700, Troy Telford wrote:
> Having looked and not found, I'm asking here:
> 
> Is there any place where I can find a general ruleset for a firewall?

I'm not aware of one.

> 
> And, moreover, while many howto's mention how to specify a rule for a 
> ruleset, they do not specify *what* rules are good/bad/ugly, etc.

Good rules are ones that implement your needs.  Bad ones do not.  I don't
know what rules may qualify as ugly.

> 
> For instance:
> 
> Even though packets coming from an FTP port are allowed (supposedly to 
> allow FTP downloads...), apt-get is unable to function properly.

Then you haven't specified rules that meet your needs.

> 
> Moreover, I have no idea what a 'good' ruleset to simply allow FTP 
> requests from my machine (such as those made by an FTP client on my 
> machine, apt-get, etc.) are reasonably secure.  And, in my case, I have 
> incoming FTP disabled, but is there a way to block packets at the 
> firewall (from people requesting FTP services on my computer), while 
> allowing my FTP requests to go unhindered?

Yes.  I don't know the ipchains way, but with iptables you can do
something like:

    iptables -A in -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A out -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A in -m state --state NEW -i ! ppp+ -j ACCEPT
    iptables -A out -m state --state NEW -j ACCEPT

where 'in' and 'out' are user chains.  This will allow outgoing but not
incoming connections.  (Caveat: don't take this as iron-clad because I
snipped pieces of a ruleset and am not sure they're good out of context.)

> 
> In fact, I couldn't really find any good information on general firewall 
> construction.  I could find information on how to set a rule for the 
> firewall; but now I need to find information on *what* kind of rules are 
> good, and why (and what is bad, and why).

For iptables, see http://netfilter.kernelnotes.org/ .  The documents
there also provide an overview of filtering, NAT, port forwarding, etc.

> 
> Another Example:  From what I understand, all TCP/UDP ports above 1024 
> are 'user' ports, and have no services attatched to them.  What kind of 
> possible security problems/other risks are involved by having these 
> ports essentially 'open' to the world?  What is the tradeoff with 
> closing them off?

Again, it's a matter of meeting your requirements.  In general, it's
good to only open ports you need and only run services you need.

> 
> For my particular situation, the computer is connected directly to the 
> internet on a campus network.  I want to be able to have a good 'basic' 
> firewall ruleset that will allow me to do my normal tasks as though 
> there were no firewall active, yet filter out all incoming connection 
> requests (such as telnet, ftp, etc.).  I'm running kernel 2.4.0-test9; I 
> have iptables figured out and can apply rulesets just fine.  It's 
> knowing what rules make sense and what ones don't that I need help on.

Good - iptables will do what you want.  But again, it's a matter of
meeting your requirements.  The rules above will basically do what you've
stated here (with the caveat given above).  But if your default policy
is DENY (which it should be), you won't be able to log onto your machine
remotely or do other things you may want without adding rules to allow
those things.

> 
> I'm more interested in learning how to create a good firewall than 
> simply having one.  (So I can make one from scratch should I ever have a 
> specific need).

That's the ticket, make a ruleset from scratch.  The only sensible thing
to do is to specify your requirements and implement your specification.
A generic ruleset is pretty useless since the whole point is to be
secure and open up only what you need.  Since there are so many possible
variations in requirements, a template just wouldn't be secure for the
"average" user of any such template which defeats the whole purpose or
it would close off ports they need open (i.e., it wouldn't otherwise
meet their requirements).  If you tried to create so many templates that
everyone could just pick one "off the rack" you'd have to create so many
templates that choosing the right one would be harder than just rolling
your own.

HTH,
Steve

-- 
Steve Bowman  <sbowman@frostwork.net> (preferred)
Buckeye, AZ   <sbowman@goodnet.com> <bowmanc@acm.org>
              <http://www.goodnet.com/~sbowman/>

Powered by Debian GNU/Linux and GNU/Hurd <http://www.debian.org>

Reply to:

Follow-Ups:
- Re: 'Generic' Firewall Rulesets?
  - From: John Mullee <john.mullee@chello.be>

References:
- 'Generic' Firewall Rulesets?
  - From: Troy Telford <troyt@myrealbox.com>

Prev by Date: Re: 'Generic' Firewall Rulesets?
Next by Date: RE: 'Generic' Firewall Rulesets?
Previous by thread: Re: 'Generic' Firewall Rulesets?
Next by thread: Re: 'Generic' Firewall Rulesets?
Index(es):
- Date
- Thread