Ginter, Jeff A schrieb:
Hello,
I am brand new to the list and couldn't find an easy way to browse the
whole archive, so my apologies if this has been discussed (as it
probably has).
I understand the state concepts, however, I keep seeing example iptable
scripts with the first rule in each chain being something like....ACCEPT
related and established packets.
My first question is...Is that really needed? In my other experiences
with stateful firewalls this rule is not needed because the firewall
remembers the outgoing packet and the rule is implied...or do I have
this very wrong?
Hmm you often will see a default policy of DROP in the filter tables. So
related to the strategy deny all allow needed. Then new connections from
inside to outside are explicitly allowed with the NEW state. Then when
answer packets come back in and reach a filter table and there is no
rule to handle them they will be dropped. Therefor there are the EST.
and REL. states to allow that packets because they should be save enough
as new conns. are only allowed/initiated from inside to outside. Surely
it doensn´t prevent a machine with a freaking worm to spread out ;).
My second question, which may not be totally applicable for this list
is...I have my netfilter/iptables set up on a Redhat 4 Ent WS box...are
the following parameters for hardening still useful and applicable with
the current kernel and distro?
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_all = 1 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
Yes they are.
Thanks very much for any help!
Jeff Ginter, CISSP
Computer Associates
Mid-Atlantic Consulting Manager
tel: +1 908 874-9726
cell: +1 609 577-1494
jeff.ginter@xxxxxx
