Re: Basic question about ipchains being useful
Julien Dupre <julien_duprefr@yahoo.fr> writes:
> I've read the Firewall FAQ and didn't find an answer to my problem. I
> understand that ipchains may be useful for a router to filter out some
> packets or restrict some services to specific hosts, but I'm just running
> a webserver on a single machine with usual services. I don't need to
> restrict the access to some hosts for the ports where a service is
> running (http,
Beware of security alerts.
> ftp,
Beware of security alerts, big-time.
> smtp,
Which MTA?
> ssh,
Beware of security alerts.
> bind
Beware of security alerts, muchly so.
> ) and I don't mind filtering out other ports as no process is running to
> deal witht he packets anyway. I'm using an IDS (snort) because I'm
> curious to see if someone wants to break in, but my current conclusion is
> to say that I don't need any ipchain rule. Did I miss something ?
A firewall is not just a binary filter on incoming access.
a) with ipchains/iptables you have a choice of accepting, rejecting or
dropping packets. If you reject them, they know you exist. If you drop
them, they have to wait for a timeout before they know anything about you -
you can play dead.
a2) you get the ability to filter TCP access to BIND right out. Chances are
you won't miss it, except for your secondary nameservers.
b) you get logging of *all* packets that don't make it through, not just
the ones snort says are interesting. (Bear in mind that snort, with all the
best will in the world, is only retroactive.)
c) you get the ability to filter invalid / spoofed IP#s in the firewall *as
well as* with rp_filter.
d) you get the option of egress filtering. If you know you should never be
accepting packets from port 25 to the private IP# range, you can drop them
and you'll find out when someone cracks you through BIND and tries to mail
home.
~Tim
--
The sun is melting over the hills, |piglet@stirfried.vegetable.org.uk
All our roads are waiting / To be revealed |http://spodzone.org.uk/
Reply to: