Re: Why not have firewall rules by default?

To: William Twomey <william.twomey@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Why not have firewall rules by default?
From: Riku Valli <riku.valli@vallit.fi>
Date: Wed, 23 Jan 2008 23:52:02 +0200
Message-id: <[🔎] 4797B702.5060105@vallit.fi>
In-reply-to: <[🔎] 47975AE5.80801@gmail.com>
References: <[🔎] 47975AE5.80801@gmail.com>

William Twomey wrote:

It's my understanding (and experience) that a Debian system by defaultis vulnerable to SYN flooding (at least when running services) andother such mischeif. I was curious as to why tcp_syncookies (andsimilar things) are not enabled by default.

Sorry forgot that.

Submitted by admin <http://www.linuxinsight.com/user/1> on Thu,2006-06-29 23:12.

Send out syncookies when the syn backlog queue of a socket overflows.This is to prevent against the common "syn flood attack". Disabled (0)by default.

Note, that syncookies is fallback facility. It must not be used to helphighly loaded servers to stand against legal connection rate. If you seesynflood warnings in your logs, but investigation shows that they occurbecause of overload with legal connections, you should tune anotherparameters until this warning disappear. See: tcp_max_syn_backlog<http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_max_syn_backlog.html>,tcp_synack_retries<http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_synack_retries.html>,tcp_abort_on_overflow<http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_abort_on_overflow.html>.

syncookies seriously violate TCP protocol, do not allow to use TCPextensions, can result in serious degradation of some services (forexample SMTP relaying), visible not by you, but your clients and relays,contacting you. While you see synflood warnings in logs not being reallyflooded, your server is seriously misconfigured.


Regards, Riku

Many distros (RPM-based mostly from my experience) ask you during theinstall if you'd like to enable firewall protection. I was curious ifdebian was every going to have this as an option?
One solution could be to have a folder called /etc/security/iptablesthat contains files that get passed to iptables at startup (in thesame way /etc/rc2.d gets read in numeric order). So you could havefiles like 22ssh, 23ftp, etc. with iptable rules in each file. Youcould also have an 'ENABLED' variable like some files in /etc/defaulthave (so that ports wouldn't be opened by default; the user would haveto manually enable them for the port to be opened).Then they'd just run /etc/init.d/iptables restart and the port wouldbe opened (flush the rules, reapply).
Even a central iptables-save format file that gets passed to iptablesat startup would be nice. It's easy enough to do manually, but wouldbe nice to see integrated with debian itself (packages managing theirown rules, etc.).
Is debian every going to introduce a better way of having iptablesrules be run at startup and easily saved/managed, or will this alwaysbe a manual process?
Thanks!

-Will

Reply to:

References:
- Why not have firewall rules by default?
  - From: William Twomey <william.twomey@gmail.com>

Prev by Date: Re: Why not have firewall rules by default?
Next by Date: Re: Why not have firewall rules by default?
Previous by thread: Re: Why not have firewall rules by default?
Next by thread: Re: Why not have firewall rules by default?
Index(es):
- Date
- Thread