[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Starting iptables

dtutty@porchlight.ca writes:

> On Thu, Oct 19, 2006 at 05:22:24PM -0700, John L Fjellstad wrote:
>> dtutty@porchlight.ca writes:
>> 
>> > If you look at the number of lines of rules you make, and compare it
>> > to the number of lines (pages!) of iptables rules it makes, you see
>> > that shorewall is easier.  Also the syntax is easier.  Changes are
>> > far easier.  Besides, the shorewall book is the best book I've found
>> > for understanding iptables.  
>> 
>> shorewall creates pages of iptables rules and that is considered a
>> good thing? What happened to KISS?
>> 
> Yes it is a good thing.  The purpose of a firewall is to block anything
> that you don't explicitly want through.  If you don't want anything
> don't put any 'allow' stuff.  Then the default rules of deny all is in
> effect.  The issue is that there are different protocols for the same
> service (e.g. UDP, UTP, etc).  Each little pinprick you want opened
> takes a few rules to keep it to a specific pinprick.  If you did it
> manually with fewer rules you would have a more porus firewall or you
> wouldn't have the services you want traversing the firewall.  If you
> used too few rules you would have a screen door.

Bull.  How does few rules create a screen door as opposed to "pages" of
rules?  How many services do you have that you need "pages" of rules?
How does each pinprick you open not create another entry point?  How
does fewer "pinprick" opened create less security, while more "pinpricks"
create more security?  How is this keeping it simple?

> For comparision, go to tldp and get the securing-linux manual (redhat
> edition).  Its in pdf format.  That author took the same approach you
> suggest and does everything except the base install by hand.  Read the
> section on firewall.  See the pages of rules he has in his firewall
> script.  He explains it all too.

I couldn't find the article you were talking about, but I did find a
Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.  And the number of
rules are insane.  Why would you have an explicit DROP rule when you
have a DROP policy?  Where is the logging? (Yes, he has a comment about
how he logs selected denied packages, but no logging actually occur) Of
course, if you want to be the "ultimate-solution", why would you want to
keep it simple?

Sigh...

> The only ways I know of to KISS a firewall are ipmasq and shorewall.
> Shorewall makes a better firewall so it makes more rules.

KISS.  Keep It Simple.  As in as few rules as possible.
What do you need?

Take a home user. What does he need?

Well, he needs to open the loopback. Rule 1.
He wants any packages that he started to be let through (RELATED,
ESTABLISHED). Rule 2.
Maybe he wants to use p2p. That's a range. If you use bittorrent, you
might have to open an additional port for the control package. That's 4 rules.
End it with a LOG rule with rate limit.

That's _five rules_.  Use DROP as a policy.  How is this _less_ secure than
having "pages" of rules?  How is having _fewer_ rules create more
insecurity? 

-- 
John L. Fjellstad
web: http://www.fjellstad.org/          Quis custodiet ipsos custodes
Reply to: