I submit you my rules, to have your opinions.

I submit you my rules, to have your opinions.

[Rakotomandimby Mihamina]

Hi everybody.
I made several searches over the internet to build my firewall rules.
Here they are :
http://stko.dyndns.info/scripts/ipt
My configuration is ( for the moment )
a single box i use as Personnal web server, FTP server and Icecast 
stream server.
I also have a sendmail server running on it (needed by the portal of my 
site to notify members ... )
I try to "sort" the different kinds of attacks (i dont know if 'im doing 
it right .. ) and DROP everything that would "eat" the bandwidth.
I dont IRC nor P2P.

I would like you , if you would too :-) , to tell me if my set of rules 
is OK , if i should change something, or if there is a dumbass mistake 
on it. The goal is of course getting the _closest_ to the 100% secure ...

Thank you in advance.
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: I submit you my rules, to have your opinions.

[Antony Stone]

On Friday 12 March 2004 12:36 pm, Rakotomandimby Mihamina wrote:

> Hi everybody.
> I made several searches over the internet to build my firewall rules.
> Here they are :
> http://stko.dyndns.info/scripts/ipt

I really think you should restrict the rules:

> # My ISP DNS's ... is it correct to put this like that ?
> iptables -A INPUT -s 193.252.19.3 -j ACCEPT
> iptables -A INPUT -s 193.252.19.4 -j ACCEPT

so that they only allow DNS packets (TCP + UDP, both port 53).   There's no 
reason to give your ISPs DNS servers free access to everything on your 
Firewall.

You don't actually need:

> iptables -A INPUT -p tcp --dport 20 -j ACCEPT

because you already have:

> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This rule will allow FTP data connections on port 20 as being RELATED to the 
control connection on port 21.

SSH doesn't use UDP, so no need for this rule:

> iptables -A INPUT -p udp --dport 22 -j ACCEPT

Same for HTTP, FTP, NNTP and POP3 - they don't use UDP, so remove these rules:

> iptables -A OUTPUT -p udp --dport 80 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 21 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 119 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 110 -j ACCEPT

Regards,

Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                     Please reply to the list;
                                                           please don't CC me.

Re: I submit you my rules, to have your opinions.

[Rakotomandimby Mihamina]

Antony Stone wrote:
>>I made several searches over the internet to build my firewall rules.
>>Here they are :
>>http://stko.dyndns.info/scripts/ipt 
> I really think you should restrict the rules:

I did as you say , but i dont kow the destination and/or source port of 
the answer from the DNS .
OR is it just a "related to established" so that i dont have to care 
about the answer ?

-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: I submit you my rules, to have your opinions.

[Rakotomandimby Mihamina]

now my rules are:
http://stko.dyndns.info/scripts/ipt2

-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina

Re: I submit you my rules, to have your opinions.

[Antony Stone]

On Friday 12 March 2004 2:16 pm, Rakotomandimby Mihamina wrote:

> Antony Stone wrote:
> >>I made several searches over the internet to build my firewall rules.
> >>Here they are :
> >>http://stko.dyndns.info/scripts/ipt
> >
> > I really think you should restrict the rules:
>
> I did as you say , but i dont kow the destination and/or source port of
> the answer from the DNS .

DNS servers respond from source port 53.   This is the same as all protocols - 
the response comes back from the same source port that you send the request 
to as a destination port - ie: HTTP responses come from source port 80; SMTP 
responses come from source port 25, etc.

> OR is it just a "related to established" so that i dont have to care
> about the answer ?

If all you want is to allow replies from your ISP's DNS servers in response to 
queries you sent out, then yes, those replies will be covered by the 
ESTABLISHED rule.

If you are running authoritative DNS for a zone and you need to allow external 
queries to your server then you need to allow NEW packets in to TCP & UDP 
destination ports 53 (however I do not think this is what you are doing).

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: I submit you my rules, to have your opinions.

[Rakotomandimby Mihamina]

My rules are now :
http://stko.dyndns.info/scripts/ipt3

Comments are welcome. :-)

some reminder ... :
My configuration is ( for the moment )
a single box i use as Personnal web server, FTP server and Icecast 
stream server.
I use it for Desktop use too, i'm the only one user,I need to browse 
over the internet and to pop and send ( and follow my favortes Usenet 
NGs) my mails through my ISP servers .
I also have a sendmail server running on it (needed by the portal of my 
site to notify members ... )

Thank you very much for all .
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina