RE: new iptables user - default options

RE: new iptables user - default options

[Knight, Steve]

Thanks Robert - I appreciate your response.

I have to say I'd agree - it seems to be more of a belt and braces approach
to use your suggestion, and more in the spirit of what we were told in
checkpoint kindergarten ["deny everything unless explicitly asked" - also
sounds a bit like being married].

Are the rules in each chain processed top down?

steve






-----Original Message-----
From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
Sent: 28 October 2003 12.34
To: Knight, Steve
Cc: netfilter@lists.netfilter.org
Subject: Re: new iptables user - default options


On Tue, 28 Oct 2003, Knight, Steve wrote:

> Hi there
> 
> Rh9 has installed all the default filter policies as "accept" and then
> forwards all packets from INPUT and FORWARD to a Lokkit chain.
> 
> Is this normal?  It seems to me [as a iptables n00b, although I am
> checkpoint certified] to be ok, as eventually the traffic is hitting the
> detailed lokkit chain, but is this the default install options that
everyone
> gets?

it seems that it's just a philosophical difference.  you can set the
DENY policy, then explicitly accept only what you want, or as RH did,
accept everything only to pass it all to a user-defined chain that
effectively does the same thing.

personally, i'd rather see a DENY policy so that, if i somehow messed
up some of my rules, i'm more likely to be *more* restrictive than
less restrictive.  but RH's approach seems no worse, just different.

rday



.


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

RE: new iptables user - default options

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 3056 bytes --]

On Tue, 2003-10-28 at 14:54, Knight, Steve wrote:
> Thanks Robert - I appreciate your response.
> 
> I have to say I'd agree - it seems to be more of a belt and braces approach
> to use your suggestion, and more in the spirit of what we were told in
> checkpoint kindergarten ["deny everything unless explicitly asked" - also
> sounds a bit like being married].
> 
> Are the rules in each chain processed top down?
> 
Yes, and possibly why the default for deadbat is to create a user chain
- user chains are called from the default chains (or other user chains),
then the rules are checked, when a match is found or the end of the user
chain is reached, execution/parsing continues from where the user chain
was called. This is one method of setting up logging rules, and also
makes debugging a work-in-progress firewall setup easier.

> steve
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
> Sent: 28 October 2003 12.34
> To: Knight, Steve
> Cc: netfilter@lists.netfilter.org
> Subject: Re: new iptables user - default options
> 
> 
> On Tue, 28 Oct 2003, Knight, Steve wrote:
> 
> > Hi there
> > 
> > Rh9 has installed all the default filter policies as "accept" and then
> > forwards all packets from INPUT and FORWARD to a Lokkit chain.
> > 
> > Is this normal?  It seems to me [as a iptables n00b, although I am
> > checkpoint certified] to be ok, as eventually the traffic is hitting the
> > detailed lokkit chain, but is this the default install options that
> everyone
> > gets?
> 
> it seems that it's just a philosophical difference.  you can set the
> DENY policy, then explicitly accept only what you want, or as RH did,
> accept everything only to pass it all to a user-defined chain that
> effectively does the same thing.
> 
> personally, i'd rather see a DENY policy so that, if i somehow messed
> up some of my rules, i'm more likely to be *more* restrictive than
> less restrictive.  but RH's approach seems no worse, just different.
> 
> rday
> 
> 
> 
> .
> 
> 
> -----------------------------------------------------------------------
> Information in this email may be privileged, confidential and is 
> intended exclusively for the addressee.  The views expressed may
> not be official policy, but the personal views of the originator.
> If you have received it in error, please notify the sender by return
> e-mail and delete it from your system.  You should not reproduce, 
> distribute, store, retransmit, use or disclose its contents to anyone.
>  
> Please note we reserve the right to monitor all e-mail
> communication through our internal and external networks.
> -----------------------------------------------------------------------
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

RE: new iptables user - default options

[Robert P. J. Day]

On Tue, 28 Oct 2003, Knight, Steve wrote:

> Thanks Robert - I appreciate your response.
> 
> I have to say I'd agree - it seems to be more of a belt and braces approach
> to use your suggestion, and more in the spirit of what we were told in
> checkpoint kindergarten ["deny everything unless explicitly asked" - also
> sounds a bit like being married].
> 
> Are the rules in each chain processed top down?

yup, which is why many folks recommend setting up some user-defined
chains to break the processing down into more efficient and bite-sized
pieces (unless you have a very small set of rules, then it's not
really worth it).

so far, the more comprehensive treatment of iptables i've seen is
ziegler's new riders book, particularly the lengthy examples of 
rulesets he supplies.

rday

RE: new iptables user - default options

[Knight, Steve]

Thanks to both Rob S and Rob D

In other words putting "accept from anywhere -m --state ESTABLISHED,RELATED"
on each of the default chains allows any traffic that's related to an
existing permitted connection.  Should that be at the top [first rule match
wins?] of each table?



-----Original Message-----

From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
Sent: 28 October 2003 4.22
To: Knight, Steve
Cc: netfilter@lists.netfilter.org
Subject: RE: new iptables user - default options


On Tue, 28 Oct 2003, Knight, Steve wrote:

> I get the picture - so you can have "external-SSHD-access" chain, and
> "external-SMTP-access" chain, rather than a huge pile of rules which you
> could risk blamming, in a rushed moment.
> 
> I have mr Ziegler's esteemed tome [it seemed to be v highly regarded after
a
> snoop around googly groups] and it's damn fine, it's what I'm working from
> to configure my fw.  Its so rigorous though that I can get easily lost in
> there!
> 
> Sorry for the ultra-lamer question now...
> 
> is it the case that for each rule on the INPUT chain you must have the
> corresponding OUTPUT rule also?  i.e. if I say
> 
> <pseudocode>
> Accept from ANYWHERE spt:1024...65535 LOCALHOST dpt:22
> </pseudocode>
> 
> Do I also have to put a corresponding response rule in --- 
> 
> Accept from LOCALHOST spt:22 ANYWHERE dpt:1024...65535
> 
> In order to allow the response through?
> OR does the fact I've put an "accept from anywhere to SSHD" rule, imply
that
> I want to allow the service to respond.
> 
> Again, sorry for what seems like an ultra stupid question, but it's not
100%
> clearly stated in ziegler, at least after two reads of the relevant
chapter.

what you want in ziegler is in the middle of p. 120 -- the rules to
allow all incoming and outgoing traffic that's RELATED,ESTABLISHED.
what those rules do is allow all traffic in either direction that's
*related* to an existing connection.  so you just need to set up
your rules to allow/deny the *initial* request, and those two rules
will automatically use connection tracking to allow subsequent traffic
that's related to that original request.

rday



.


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

RE: new iptables user - default options

[Rob Sterenborg]

> In other words putting "accept from anywhere -m --state 
> ESTABLISHED,RELATED" on each of the default chains allows any 
> traffic that's related to an existing permitted connection.  
> Should that be at the top [first rule match wins?] of each table?

Well, only the initial request is handled by each specific rule, the
rest is handled by RELATED,ESTABLISHED.
So yes : I'd put it (almost) on top for performance reasons. You could
however put some filtering rules that you want/need in front of it.


Gr,
Rob

RE: new iptables user - default options

[Knight, Steve]

I get the picture - so you can have "external-SSHD-access" chain, and
"external-SMTP-access" chain, rather than a huge pile of rules which you
could risk blamming, in a rushed moment.

I have mr Ziegler's esteemed tome [it seemed to be v highly regarded after a
snoop around googly groups] and it's damn fine, it's what I'm working from
to configure my fw.  Its so rigorous though that I can get easily lost in
there!

Sorry for the ultra-lamer question now...

is it the case that for each rule on the INPUT chain you must have the
corresponding OUTPUT rule also?  i.e. if I say

<pseudocode>
Accept from ANYWHERE spt:1024...65535 LOCALHOST dpt:22
</pseudocode>

Do I also have to put a corresponding response rule in --- 

Accept from LOCALHOST spt:22 ANYWHERE dpt:1024...65535

In order to allow the response through?
OR does the fact I've put an "accept from anywhere to SSHD" rule, imply that
I want to allow the service to respond.

Again, sorry for what seems like an ultra stupid question, but it's not 100%
clearly stated in ziegler, at least after two reads of the relevant chapter.

Thanks :D

steve




-----Original Message-----
From: Robert P. J. Day [mailto:rpjday@mindspring.com] 
Sent: 28 October 2003 1.14
To: Knight, Steve
Cc: netfilter@lists.netfilter.org
Subject: RE: new iptables user - default options


On Tue, 28 Oct 2003, Knight, Steve wrote:

> Thanks Robert - I appreciate your response.
> 
> I have to say I'd agree - it seems to be more of a belt and braces
approach
> to use your suggestion, and more in the spirit of what we were told in
> checkpoint kindergarten ["deny everything unless explicitly asked" - also
> sounds a bit like being married].
> 
> Are the rules in each chain processed top down?

yup, which is why many folks recommend setting up some user-defined
chains to break the processing down into more efficient and bite-sized
pieces (unless you have a very small set of rules, then it's not
really worth it).

so far, the more comprehensive treatment of iptables i've seen is
ziegler's new riders book, particularly the lengthy examples of 
rulesets he supplies.

rday



.


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

RE: new iptables user - default options

[Robert P. J. Day]

On Tue, 28 Oct 2003, Knight, Steve wrote:

> I get the picture - so you can have "external-SSHD-access" chain, and
> "external-SMTP-access" chain, rather than a huge pile of rules which you
> could risk blamming, in a rushed moment.
> 
> I have mr Ziegler's esteemed tome [it seemed to be v highly regarded after a
> snoop around googly groups] and it's damn fine, it's what I'm working from
> to configure my fw.  Its so rigorous though that I can get easily lost in
> there!
> 
> Sorry for the ultra-lamer question now...
> 
> is it the case that for each rule on the INPUT chain you must have the
> corresponding OUTPUT rule also?  i.e. if I say
> 
> <pseudocode>
> Accept from ANYWHERE spt:1024...65535 LOCALHOST dpt:22
> </pseudocode>
> 
> Do I also have to put a corresponding response rule in --- 
> 
> Accept from LOCALHOST spt:22 ANYWHERE dpt:1024...65535
> 
> In order to allow the response through?
> OR does the fact I've put an "accept from anywhere to SSHD" rule, imply that
> I want to allow the service to respond.
> 
> Again, sorry for what seems like an ultra stupid question, but it's not 100%
> clearly stated in ziegler, at least after two reads of the relevant chapter.

what you want in ziegler is in the middle of p. 120 -- the rules to
allow all incoming and outgoing traffic that's RELATED,ESTABLISHED.
what those rules do is allow all traffic in either direction that's
*related* to an existing connection.  so you just need to set up
your rules to allow/deny the *initial* request, and those two rules
will automatically use connection tracking to allow subsequent traffic
that's related to that original request.

rday

new iptables user - default options

[Knight, Steve]

Hi there

Rh9 has installed all the default filter policies as "accept" and then
forwards all packets from INPUT and FORWARD to a Lokkit chain.

Is this normal?  It seems to me [as a iptables n00b, although I am
checkpoint certified] to be ok, as eventually the traffic is hitting the
detailed lokkit chain, but is this the default install options that everyone
gets?

Cheers

Steve


-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

Re: new iptables user - default options

[Robert P. J. Day]

On Tue, 28 Oct 2003, Knight, Steve wrote:

> Hi there
> 
> Rh9 has installed all the default filter policies as "accept" and then
> forwards all packets from INPUT and FORWARD to a Lokkit chain.
> 
> Is this normal?  It seems to me [as a iptables n00b, although I am
> checkpoint certified] to be ok, as eventually the traffic is hitting the
> detailed lokkit chain, but is this the default install options that everyone
> gets?

it seems that it's just a philosophical difference.  you can set the
DENY policy, then explicitly accept only what you want, or as RH did,
accept everything only to pass it all to a user-defined chain that
effectively does the same thing.

personally, i'd rather see a DENY policy so that, if i somehow messed
up some of my rules, i'm more likely to be *more* restrictive than
less restrictive.  but RH's approach seems no worse, just different.

rday