Firewall - basic config?
Hi List,
I have a question regarding how I've configured my iptables to act as a
very basic "firewall", i.e., one that simply prevents any and all
incoming connections. Now, from my readings over the past several days
I think I've learned that at least some of my outgoing requests will
have responses that should be allowed to come back in -- but aside from
that, I essentially want my firewall to act in a very "default" method,
i.e., the way a complete neophyte would expect his or her firewall to
work within Windows or Mac.
Here's what I did -- I will also paste the results of my current
"iptables -L" command... I hope the text block is not too large...
1. First, my issue with manually configuring iptables is not the
complexity of it, per se -- but the fact that I want to avoid having my
newness to it prevent me from setting it up in an insecure manner. So...
2. I found that "ufw" works as a line-command-based-front-end to
iptables. I also came across "gufw" in my travels, and I even tried it,
but I've since gleaned that all that's really needed in ufw to
completely mimic the basic functionality of gufw is to (a) install ufw,
and (b) enable it -- one does not even need to establish the default
policies, although the Debian wiki page incorrectly states that this is
necessary.
3. So after having installed and enabled ufw, here's the output of my
"iptables -L" command. I noticed a mention of "microsoft-ds" in
there... I assume this is just a protocol, and not a piece of
software! Any suggestions/comments would be much appreciated. Thanks
very much.
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere
ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT icmp -- anywhere anywhere icmp
parameter-problem
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT udp -- anywhere anywhere udp
spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state
INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg
3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg
3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
-end of posting
Reply to: