RE: ruleset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all and Anthony

Thanks for replying.
In terms of "I know know nothing about security", unfortunately I have a
budget and expenditure to worry about, therefore, I cant really afford to
spend to much on machine etc. Therefore I am forced to run a few services on
the FW.

I am running a small dns server (pdnsd).
And I am running apache for the sake of my bandwith logging util (bandwithd,
bandwithd.sourceforge.org - REALLY NICE TOOL).

thanks for your assistance and pointers.
Really appreciate it.

Kind Regards
Brent Clark





-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone
Sent: Tuesday, July 20, 2004 5:37 PM
To: iptables
Subject: Re: ruleset


On Tuesday 20 July 2004 3:58 pm, Brent Clark wrote:

> Hi all
>
> Below is a copied and pasted ruleset.
> Anyone care to have a look, it would really be appreciated.

<snip...>

> # Allow for resolving of  DNS and lookup from  gate
>
> /sbin/iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW -j
> ACCEPT
> /sbin/iptables -A INPUT -i eth1 -p udp --sport 53 -m state --state NEW -j
> ACCEPT
> /sbin/iptables -A FORWARD -p udp --sport 53 -m state --state NEW -j ACCEPT

Is your firewall running a DNS server?   If so, you want the INPUT rule.
If
not (ie: you are passing DNS requests through to somewhere else), you want
the FORWARD rule.   I'd be surprised if you really want both.

Why do you specify source port 53 in the FORWARD rule instead of destination
port 53?   The reply packets are already taken care of by the
ESTABLISHED,RELATED rule.

> # Allow access gate from 192.168.111.0/255.255.255.0
>
> /sbin/iptables -A INPUT -i eth1 -p all -s 192.168.111.0/24 -j ACCEPT

You want *all* machines on 192.68.111.0./24 to have access to *all* services
on the firewall??

> /sbin/iptables -A FORWARD -p all -s 192.168.111.0/24 -d
192.168.111.0/24 -j
> ACCEPT

This one makes no sense.   Packets from one subnet to another machine on the
same subnet do not go through the firewall.

> # Allow access to port 80(http) and 443(https) to the gate
>
> /sbin/iptables -A INPUT -i eth1 -s 192.168.111.0/24 -p tcp -m
> multiport --dport 80,443 -m state --state NEW -j ACCEPT

You are running an http/s server on the firewall???

> #/sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

You are running an FTP server on the firewall as well as HTTP, HTTPS and
perhaps DNS???   Something makes me think you don't know about good security
practice saying "don't run uneccessary (some people say "any") services on
your firewall, as a compromise of one service can lead to a compromise of
the
firewall".

Regards,

Antony.

--
"It would appear we have reached the limits of what it is possible to
achieve
with computer technology, although one should be careful with such
statements; they tend to sound pretty silly in five years."

 - John von Neumann (1949)

                                                     Please reply to the
list;
                                                           please don't CC
me.





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux