Re: Firewall - basic config?

To: debian-user@lists.debian.org
Subject: Re: Firewall - basic config?
From: Michael Milliman <michael.e.milliman@gmail.com>
Date: Mon, 25 Apr 2016 21:02:00 -0500
Message-id: <[🔎] 571ECC18.5000001@gmail.com>
In-reply-to: <[🔎] 20160424115651.0b20c99fe34cb8a6c9351bf0@gmail.com>
References: <[🔎] 571BAB24.2090709@yahoo.com> <[🔎] 20160423210117.a27515c151308a3b0a68c317@gmail.com> <[🔎] 571C56FF.8020008@gmail.com> <[🔎] 20160424115651.0b20c99fe34cb8a6c9351bf0@gmail.com>



On 04/24/2016 03:56 AM, Reco wrote:

On Sun, 24 Apr 2016 00:17:51 -0500
Michael Milliman <michael.e.milliman@gmail.com> wrote:

   Any suggestions/comments would be much appreciated. Thanks
very much.

Assuming you'd want to keep ufw, you'd need to worry about:

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere anywhere             udp
dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere anywhere             tcp
dpt:microsoft-ds

There's no reason to accept these unless you're using Samba (either
the server or client).

However, if you look at the ufw-skip-to-policy-input chain, it simply
DROPs everything, so there is no hole here, as far as I can tell.
Indeed, this chain specifies all protocols, from anywhere to anywhere,
target DROP. So, in the end, all packets to these destination ports
(dpt) are DROPed.

Good catch. I agree here. Although it would help to see if these rules
apply to a certain network interface (see below).

ACCEPT     udp  --  anywhere             anywhere             udp
spt:bootps dpt:bootpc

So, first they compose a perfectly good rule for DHCP client
(ufw-before-input chain), but then they allow udp:68 unconditionally in
ufw-after-input chain. I'll assume that something very clever is going
on here.

Correct me if I'm wrong, however, the ufw-before-input chain concerns me
greatly.  The first rule here ACCEPTs all packets of all protocols
coming from anywhere and going to anywhere.  This appears to be an
incredibly big hole.  The above rule Reco mentions, will never be seen
as it is quite a bit further down the chain, after everything has
already been ACCEPTed.  Surely, I'm reading something wrong?:-\

I believe this to be an artifact of 'iptables -L', and the actual rule
refers to lo interface only. For example, on my system this scary rule:

# iptables -nL INPUT | head -3
...
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Actually means this:

# iptables -nvL INPUT | head -3
...
ACCEPT     all  --  lo     * 0.0.0.0/0            0.0.0.0/0

Reco

Yes, I missed that the iptables -L doesn't give the interface that aparticular rule applies to. The iptables -L -v command would be moreinformative.


--
Mike

Reply to:

References:
- Firewall - basic config?
  - From: Harris Paltrowitz <harrisupstate@yahoo.com>
- Re: Firewall - basic config?
  - From: Reco <recoverym4n@gmail.com>
- Re: Firewall - basic config?
  - From: Michael Milliman <michael.e.milliman@gmail.com>
- Re: Firewall - basic config?
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: /etc/resolv.conf documentation
Next by Date: Re: Portable Debian?
Previous by thread: Re: Firewall - basic config?
Next by thread: Re: Firewall - basic config?
Index(es):
- Date
- Thread