Re: IPTables configuration.
I see why I should set the "--state NEW" flag on port 80. Would I be sure
that it wouldn't hamper the webserver though? And if I'd like to block an IP
out of the system, how would that be done the easiest way? Put a rule in
PAROLE?
//Tore Nilsson
----- Original Message -----
From: "DEFFONTAINES Vincent" <Vincent.DEFFONTAINES@coe.int>
To: <debian-security@lists.debian.org>
Sent: Wednesday, December 04, 2002 3:45 PM
Subject: RE: IPTables configuration.
> The call of PAROLE for TCP DST 80 paquets isnt restrictive enough.
> I would call that rule only this way :
> replace
> 384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:80
> with a rule like :
> /sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE
> in the PUB_IN chain
>
> So that (nearly) only SYN packets go through that rule, not forget TCP
> session packets.
>
> Your firewall allows all OUT, that is not a bad policy if you trust all
> users and applications you run.
> I would agree with that policy for a personnal firewall as this seems to
be.
>
> I don't really like the general looking of the rest (some useless chains,
> some useless calls).
>
> The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in
it
> will never match any packet.
> Maybe you want to LOG some packets in that rule, that is another option.
>
> Chains INT_IN and INT_OUT are never used, delete them.
>
> Call to chain PUB_OUT is useless, and could be forgotten, as well as that
> chain.
>
>
>
> This seems to be a very "tiny" (personnal) firewall.
>
> Probably most important in all I said : set the NEW state in incoming TCP
80
> packets.
> The rest is just to make your rules cleaner, it doesn't modify the way the
> firewall works.
Reply to: