On Sun, 24 Apr 2016 00:17:51 -0500
Michael Milliman <michael.e.milliman@gmail.com> wrote:
Any suggestions/comments would be much appreciated. Thanks
very much.
Assuming you'd want to keep ufw, you'd need to worry about:
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp
dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp
dpt:microsoft-ds
There's no reason to accept these unless you're using Samba (either
the server or client).
However, if you look at the ufw-skip-to-policy-input chain, it simply
DROPs everything, so there is no hole here, as far as I can tell.
Indeed, this chain specifies all protocols, from anywhere to anywhere,
target DROP. So, in the end, all packets to these destination ports
(dpt) are DROPed.
Good catch. I agree here. Although it would help to see if these rules
apply to a certain network interface (see below).
ACCEPT udp -- anywhere anywhere udp
spt:bootps dpt:bootpc
So, first they compose a perfectly good rule for DHCP client
(ufw-before-input chain), but then they allow udp:68 unconditionally in
ufw-after-input chain. I'll assume that something very clever is going
on here.
Correct me if I'm wrong, however, the ufw-before-input chain concerns me
greatly. The first rule here ACCEPTs all packets of all protocols
coming from anywhere and going to anywhere. This appears to be an
incredibly big hole. The above rule Reco mentions, will never be seen
as it is quite a bit further down the chain, after everything has
already been ACCEPTed. Surely, I'm reading something wrong?:-\
I believe this to be an artifact of 'iptables -L', and the actual rule
refers to lo interface only. For example, on my system this scary rule:
# iptables -nL INPUT | head -3
...
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Actually means this:
# iptables -nvL INPUT | head -3
...
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Reco