Re: Is this firewall good enough?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Rob Sterenborg" <rob@sterenborg.info>
To: netfilter@lists.netfilter.org
Subject: Re: Is this firewall good enough?
Date: Tue, 8 Jun 2004 11:44:25 +0200	[thread overview]
Message-ID: <001c01c44d3d$31567530$1201a8c0@admin> (raw)
In-Reply-To: 20040608091436.84113.qmail@web14712.mail.yahoo.com

> I have set up the firewall with following rules:
>
> 1.  /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1
> -j ACCEPT

You could place this rule below the next, because this rule only matches
the first packet and the rest will be RELATED or ESTABLISHED.
This is done for performance reasons. When you look at the byte counters
of each rule, you'll notice that the rule below matches the most packets
by far.
However, you don't have a large script so I think you won't notice the
difference.

> 2.  /sbin/iptables -A INPUT -p tcp -m state --state
> ESTABLISHED,RELATED -j ACCEPT

I don't think you'll use tcp only. E.g. for DNS you need udp too, see
below.
Maybe it's better not to specify a protocol at all since this rule is
supposed to match all subsequent packets that have matched below.

> 3.  /sbin/iptables -A INPUT -p tcp --dport 20  --syn
> -j ACCEPT #ftp-data

You don't need the above rule. The initial connection is made to port
21/tcp. Port 20/tcp is RELATED.

> 4.  /sbin/iptables -A INPUT -p tcp --dport 21  --syn
> -j ACCEPT #ftp
> 5.  /sbin/iptables -A INPUT -p tcp --dport 22  --syn
> -j ACCEPT #ssh
> 6.  /sbin/iptables -A INPUT -p tcp --dport 25  --syn
> -j ACCEPT #smtp

> 7.  /sbin/iptables -A INPUT -p tcp --dport 53  --syn
> -j ACCEPT #DNS

DNS uses udp for normal lookups. Only in special cases tcp is used.

> 8.  /sbin/iptables -A INPUT -p tcp --dport 80  --syn
> -j ACCEPT #http
> 9.  /sbin/iptables -A INPUT -p tcp --dport 110 --syn
> -j ACCEPT #POP3
> 10. /sbin/iptables -A INPUT -p tcp --dport 143 --syn
> -j ACCEPT #IMAP
> 11. /sbin/iptables -A INPUT -p tcp --dport 443 --syn
> -j ACCEPT #https
> 12. /sbin/iptables -A INPUT -p tcp --dport 465 --syn
> -j ACCEPT #smtp over SSL
> 13. /sbin/iptables -A INPUT -p tcp --dport 993 --syn
> -j ACCEPT #IMAP over SSL
> 14. /sbin/iptables -A INPUT -p tcp --dport 995 --syn
> -j ACCEPT #POP3 over SSL

> 15. /sbin/iptables -P INPUT DROP
> 16. /sbin/iptables -P FORWARD DROP
> 17. /sbin/iptables -P OUTPUT ACCEPT

Put these 3 on top of your script so that the server is closed (almost)
immediately, depending on the script startup order, and after that the
appropriate ports are opened.

> I have following queries regarding the above firewall:
>
> 1. Does this effectively offer connections ONLY to the
> services I offer and nothing more than that?

Yes.

> 2. Does the rule 2 create any security loophole?

No, not that I know of.

> 3. This firewall allows passive as well as non-passive
> FTP connections. Is passive FTP connections   a
> security threat?

FTP is not secure by nature ; nothing is encrypted so everything can be
sniffed etc.
You could also do sftp (from OpenSSH, also running on port 22/tcp) but
that's a subsystem of SSH and not as customizable as most FTP servers
(afaik : on or off).

> 4. Is this firewall good enough to protect the server?
> If no, could you kindly comment how could I improve
> further?

You could check for tcp_flags. Certain combinations can be logged and/or
dropped.
Packets with state INVALID could normally be safely dropped.

Gr,
Rob

next prev parent reply	other threads:[~2004-06-08  9:44 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-08  9:14 Is this firewall good enough? Sagara Wijetunga
2004-06-08  9:42 ` Feizhou
2004-06-08  9:57   ` Antony Stone
2004-06-08 15:03     ` Feizhou
2004-06-08 15:23       ` Antony Stone
2004-06-08 20:11         ` Feizhou
2004-06-09  9:48           ` Antony Stone
2004-06-09 10:03             ` Feizhou
2004-06-08 16:17       ` David Cannings
2004-06-08 20:14         ` Feizhou
2004-06-09  9:28           ` Jozsef Kadlecsik
2004-06-09  9:57             ` Feizhou
2004-06-09 11:05               ` Jozsef Kadlecsik
2004-06-09 13:18                 ` Feizhou
2004-06-09 13:23                 ` Feizhou
2004-06-09  8:36       ` Sagara Wijetunga
2004-06-08  9:44 ` Rob Sterenborg [this message]
2004-06-09  8:14   ` Sagara Wijetunga
2004-06-09  9:56     ` Rob Sterenborg
2004-06-09 15:12     ` Aleksandar Milivojevic
2004-06-09 15:15       ` Aleksandar Milivojevic
2004-06-11 14:24         ` Sagara Wijetunga
2004-06-08  9:55 ` Antony Stone
2004-06-08 12:38 ` Chris Brenton
2004-06-09  7:32   ` Sagara Wijetunga
2004-06-09 13:47     ` Chris Brenton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='001c01c44d3d$31567530$1201a8c0@admin' \
    --to=rob@sterenborg.info \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.