Hi all,
I am just wondering is there a best practice when it comes to ordering your stateful rules?
Presumably you want to place stateful traffic filtering before your stateless traffic.
Rule 1: allow VPN access by stateful filtering
iptables -A INPUT -p tcp -s 0/0 -d vpnIP --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Rule 2: allow VPN access by statelessfiltering
iptables -A INPUT -p tcp -s 0/0 -d vpnIP --dport 22 -j ACCEPT
Rule 3: a crazy rule!
iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
From the above 3 rules it is obvious that there is a requirement that stateful rules come
before stateless rules to ensure they are matched and that stateless rules are only matched
in the event of stateful fallover (crash).
But I guess there are times when you want stateless rules first, particularly stateless DROP
rules. For example, port scanning (tcp flag matches) and spoofed reserved ip addresses.
Is there any particular guides/documentation that outline best practices when ordering
statefull and stateless rules?
My guess is there isn't and abstract best practice compliance guides like PCI DSS,
NIST-800-41 etc provide no insight as to how administrates maintain their own low-level best
practice rule orderings.
What are your experiences in ordering rule-sets? Is it more drive by instinct rather than
hard and fast rules.
regards,
Will.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
