[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall - basic config?



On Sun, 24 Apr 2016 00:17:51 -0500
Michael Milliman <michael.e.milliman@gmail.com> wrote:
> >>   Any suggestions/comments would be much appreciated. Thanks
> >> very much.
> > Assuming you'd want to keep ufw, you'd need to worry about:
> >
> >> Chain ufw-after-input (1 references)
> >> target     prot opt source               destination
> >> ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
> >> dpt:netbios-ns
> >> ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
> >> dpt:netbios-dgm
> >> ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
> >> dpt:netbios-ssn
> >> ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
> >> dpt:microsoft-ds
> > There's no reason to accept these unless you're using Samba (either
> > the server or client).
> However, if you look at the ufw-skip-to-policy-input chain, it simply 
> DROPs everything, so there is no hole here, as far as I can tell.  
> Indeed, this chain specifies all protocols, from anywhere to anywhere, 
> target DROP. So, in the end, all packets to these destination ports 
> (dpt) are DROPed.

Good catch. I agree here. Although it would help to see if these rules
apply to a certain network interface (see below).


> >> ACCEPT     udp  --  anywhere             anywhere             udp
> >> spt:bootps dpt:bootpc
> > So, first they compose a perfectly good rule for DHCP client
> > (ufw-before-input chain), but then they allow udp:68 unconditionally in
> > ufw-after-input chain. I'll assume that something very clever is going
> > on here.
> Correct me if I'm wrong, however, the ufw-before-input chain concerns me 
> greatly.  The first rule here ACCEPTs all packets of all protocols 
> coming from anywhere and going to anywhere.  This appears to be an 
> incredibly big hole.  The above rule Reco mentions, will never be seen 
> as it is quite a bit further down the chain, after everything has 
> already been ACCEPTed.  Surely, I'm reading something wrong?:-\

I believe this to be an artifact of 'iptables -L', and the actual rule
refers to lo interface only. For example, on my system this scary rule:

# iptables -nL INPUT | head -3
...
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 

Actually means this:

# iptables -nvL INPUT | head -3
...
ACCEPT     all  --  lo     * 0.0.0.0/0            0.0.0.0/0  

Reco


Reply to: