going default DROP

going default DROP

[Askar]

hi,

okay now im seriously wanted to convert the default ACCEPTED fw
machine by my predecessor to default DROP. coz it is very hard to
maintain ACCEPTED fw and im getting tired of monitoring tcpdump and
then adding new rules to firewall script.
As I told before it is a small ISP (limitations: no more then 150
users at a time) and our clients connected to us via dialup.
Before going to deploy my desired fw script I want to monitor the
users traffic for a while may be I would go outside and interview few
cyber cafes, to decide *what* to DROP and which packets to allow.
Remember our clients are not that power users, very normal in nature,
when online majority of them acccessing port 80, IM, chatting,
emailing, irc etc. we have setup a cache "squid" for port 80 related
things and its doing very well.
Therefore I thinks it would not be difficult to deploy default DROP
script, yes may be in starting days we could loose few clients ;)
As im kinda new to security and iptables stuff, however I want to
prove that this sort of  policy is possible in ISP (small) enviroment
.

=now can someone guide me what is the good way to monitor traffic i-e
what ports clients accessing and then in teh light of this i would
finialize my script.
= any sample scripts for such enviroment and links ?
Any other suggestions would be greatly appreciated.

regards
Askar

-- 
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

RE: going default DROP

[Alexis]

As an isp I think there will start a problem with your customers if you try
to block anything that people that pay you can do.

I mean, if they pay, they must have the way to use what they want, related
to ports and protocols, but ill take some tips for this situation


- Thinking in the output traffic (the one you forward from your customers to
internet) the following sets could be default
	-> anything will pass (configure this with conntrack)
	-> if you want, use a cache for some traffic to save some bw
	-> maybe you can apply some limits just in case some of your users
have a virus or something in their boxes that may try a DoS. So for the
customer traffic you may apply syn flood limits, bad packets filters, and
some protections that could save big problem as responsible for your ip
block.

Now, thinking in traffic that internet sends to your users in this case ill
think the following

	-> DROP is the policy (no new connections, this is why conntrack)
	-> in case you want to watch the denied traffic you could use
		--> a LOG/ULOG rule to log and review the denied packets
		--> tethereal is a great tool, and you can use capture
filters with tcpdump format

This could show you if there's any flow you could accept for your customers.


As experience and advice, always notify your customers that you'll be
"touching" and it may affect the service, and off course, try to do it at
the time of the day where are less users. And always keep a way of rollback
until you have totally tested the final solution.


Regards



-----Mensaje original-----
De: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] En nombre de Askar
Enviado el: Sábado, 25 de Septiembre de 2004 2:31
Para: netfilter
Asunto: going default DROP

hi,

okay now im seriously wanted to convert the default ACCEPTED fw machine by
my predecessor to default DROP. coz it is very hard to maintain ACCEPTED fw
and im getting tired of monitoring tcpdump and then adding new rules to
firewall script.
As I told before it is a small ISP (limitations: no more then 150 users at a
time) and our clients connected to us via dialup.
Before going to deploy my desired fw script I want to monitor the users
traffic for a while may be I would go outside and interview few cyber cafes,
to decide *what* to DROP and which packets to allow.
Remember our clients are not that power users, very normal in nature, when
online majority of them acccessing port 80, IM, chatting, emailing, irc etc.
we have setup a cache "squid" for port 80 related things and its doing very
well.
Therefore I thinks it would not be difficult to deploy default DROP script,
yes may be in starting days we could loose few clients ;) As im kinda new to
security and iptables stuff, however I want to prove that this sort of
policy is possible in ISP (small) enviroment .

=now can someone guide me what is the good way to monitor traffic i-e what
ports clients accessing and then in teh light of this i would finialize my
script.
= any sample scripts for such enviroment and links ?
Any other suggestions would be greatly appreciated.

regards
Askar

--
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

Re: going default DROP

[Jose Maria Lopez]

El sáb, 25 de 09 de 2004 a las 07:31, Askar escribió:
> hi,
> 
> okay now im seriously wanted to convert the default ACCEPTED fw
> machine by my predecessor to default DROP. coz it is very hard to
> maintain ACCEPTED fw and im getting tired of monitoring tcpdump and
> then adding new rules to firewall script.
> As I told before it is a small ISP (limitations: no more then 150
> users at a time) and our clients connected to us via dialup.
> Before going to deploy my desired fw script I want to monitor the
> users traffic for a while may be I would go outside and interview few
> cyber cafes, to decide *what* to DROP and which packets to allow.
> Remember our clients are not that power users, very normal in nature,
> when online majority of them acccessing port 80, IM, chatting,
> emailing, irc etc. we have setup a cache "squid" for port 80 related
> things and its doing very well.
> Therefore I thinks it would not be difficult to deploy default DROP
> script, yes may be in starting days we could loose few clients ;)
> As im kinda new to security and iptables stuff, however I want to
> prove that this sort of  policy is possible in ISP (small) enviroment
> .
> 
> =now can someone guide me what is the good way to monitor traffic i-e
> what ports clients accessing and then in teh light of this i would
> finialize my script.
> = any sample scripts for such enviroment and links ?
> Any other suggestions would be greatly appreciated.
> 
> regards
> Askar

I think the approach your are using is the correct when dealing with
an ISP like configuration. You probably don't have power users, but
be sure that normal users are the more problematic ones, because they
will want to use nonstandard ports many times, like when using games
IM chat, DCC and thinks like that. You should make a study of what
traffic your users are using and then DROP only the traffic that can
be harmful. It's not a easy way to configuring a firewall, but I think
it's the more intelligent one when your are an ISP and you don't want
your users to be complaining all the time.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"