Re: Firewall - basic config?
On Sun, 24 Apr 2016 00:17:51 -0500
Michael Milliman <michael.e.milliman@gmail.com> wrote:
> >> Any suggestions/comments would be much appreciated. Thanks
> >> very much.
> > Assuming you'd want to keep ufw, you'd need to worry about:
> >
> >> Chain ufw-after-input (1 references)
> >> target prot opt source destination
> >> ufw-skip-to-policy-input udp -- anywhere anywhere udp
> >> dpt:netbios-ns
> >> ufw-skip-to-policy-input udp -- anywhere anywhere udp
> >> dpt:netbios-dgm
> >> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
> >> dpt:netbios-ssn
> >> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
> >> dpt:microsoft-ds
> > There's no reason to accept these unless you're using Samba (either
> > the server or client).
> However, if you look at the ufw-skip-to-policy-input chain, it simply
> DROPs everything, so there is no hole here, as far as I can tell.
> Indeed, this chain specifies all protocols, from anywhere to anywhere,
> target DROP. So, in the end, all packets to these destination ports
> (dpt) are DROPed.
Good catch. I agree here. Although it would help to see if these rules
apply to a certain network interface (see below).
> >> ACCEPT udp -- anywhere anywhere udp
> >> spt:bootps dpt:bootpc
> > So, first they compose a perfectly good rule for DHCP client
> > (ufw-before-input chain), but then they allow udp:68 unconditionally in
> > ufw-after-input chain. I'll assume that something very clever is going
> > on here.
> Correct me if I'm wrong, however, the ufw-before-input chain concerns me
> greatly. The first rule here ACCEPTs all packets of all protocols
> coming from anywhere and going to anywhere. This appears to be an
> incredibly big hole. The above rule Reco mentions, will never be seen
> as it is quite a bit further down the chain, after everything has
> already been ACCEPTed. Surely, I'm reading something wrong?:-\
I believe this to be an artifact of 'iptables -L', and the actual rule
refers to lo interface only. For example, on my system this scary rule:
# iptables -nL INPUT | head -3
...
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Actually means this:
# iptables -nvL INPUT | head -3
...
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Reco
Reply to: