Re: Firewall - basic config?

To: debian-user@lists.debian.org
Subject: Re: Firewall - basic config?
From: Reco <recoverym4n@gmail.com>
Date: Sun, 24 Apr 2016 11:56:51 +0300
Message-id: <[🔎] 20160424115651.0b20c99fe34cb8a6c9351bf0@gmail.com>
In-reply-to: <[🔎] 571C56FF.8020008@gmail.com>
References: <[🔎] 571BAB24.2090709@yahoo.com> <[🔎] 20160423210117.a27515c151308a3b0a68c317@gmail.com> <[🔎] 571C56FF.8020008@gmail.com>

On Sun, 24 Apr 2016 00:17:51 -0500
Michael Milliman <michael.e.milliman@gmail.com> wrote:
> >>   Any suggestions/comments would be much appreciated. Thanks
> >> very much.
> > Assuming you'd want to keep ufw, you'd need to worry about:
> >
> >> Chain ufw-after-input (1 references)
> >> target     prot opt source               destination
> >> ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
> >> dpt:netbios-ns
> >> ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
> >> dpt:netbios-dgm
> >> ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
> >> dpt:netbios-ssn
> >> ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
> >> dpt:microsoft-ds
> > There's no reason to accept these unless you're using Samba (either
> > the server or client).
> However, if you look at the ufw-skip-to-policy-input chain, it simply 
> DROPs everything, so there is no hole here, as far as I can tell.  
> Indeed, this chain specifies all protocols, from anywhere to anywhere, 
> target DROP. So, in the end, all packets to these destination ports 
> (dpt) are DROPed.

Good catch. I agree here. Although it would help to see if these rules
apply to a certain network interface (see below).


> >> ACCEPT     udp  --  anywhere             anywhere             udp
> >> spt:bootps dpt:bootpc
> > So, first they compose a perfectly good rule for DHCP client
> > (ufw-before-input chain), but then they allow udp:68 unconditionally in
> > ufw-after-input chain. I'll assume that something very clever is going
> > on here.
> Correct me if I'm wrong, however, the ufw-before-input chain concerns me 
> greatly.  The first rule here ACCEPTs all packets of all protocols 
> coming from anywhere and going to anywhere.  This appears to be an 
> incredibly big hole.  The above rule Reco mentions, will never be seen 
> as it is quite a bit further down the chain, after everything has 
> already been ACCEPTed.  Surely, I'm reading something wrong?:-\

I believe this to be an artifact of 'iptables -L', and the actual rule
refers to lo interface only. For example, on my system this scary rule:

# iptables -nL INPUT | head -3
...
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 

Actually means this:

# iptables -nvL INPUT | head -3
...
ACCEPT     all  --  lo     * 0.0.0.0/0            0.0.0.0/0  

Reco

Reply to:

Follow-Ups:
- Re: Firewall - basic config?
  - From: Michael Milliman <michael.e.milliman@gmail.com>

References:
- Firewall - basic config?
  - From: Harris Paltrowitz <harrisupstate@yahoo.com>
- Re: Firewall - basic config?
  - From: Reco <recoverym4n@gmail.com>
- Re: Firewall - basic config?
  - From: Michael Milliman <michael.e.milliman@gmail.com>

Prev by Date: Re: Firewall - basic config?
Next by Date: Re: on-demand mounting of filesystems via Systemd (e.g. /backup)
Previous by thread: Re: Firewall - basic config?
Next by thread: Re: Firewall - basic config?
Index(es):
- Date
- Thread