firewall critique
Zachary Uram
Running Debian lenny. I run a web server and try to keep all other
ports closed. Would like to get some feedback on my firewall. If you
have any suggestions for rules to add or other changes please let me
know. Also what are some other steps I can take next to further
increase my security?
iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP ;
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -i eth0 --dport 80
-j ACCEPT ;
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -j DROP ;
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Zach
--
To UNSUBSCRIBE, email to debian-fire...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
matteo filippetto
> Hi,
>
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other steps I can take next to further
> increase my security?
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP ;
> iptables -A INPUT -p tcp -m conntrack --ctstate NEW -i eth0 --dport 80
> -j ACCEPT ;
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -j DROP ;
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> Zach
>
>
> --
Hi,
there are no default policy in your rules...you should set them.
you can follow this tutorials to improve your firewall rules
http://beginlinux.wordpress.com/2008/06/16/build-a-simple-iptables-firewall/
http://www.cyberdogtech.com/firewalls/
http://www.debian-administration.org/article/Question_A_good_iptables_tutorial
I found them very useful when creating my configuration.
--
Matteo Filippetto
Rafal Czlonka
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other steps I can take next to further
> increase my security?
Since you only need one (two if you want SSL) port open set the default
policy to DROP and only open those you need.
Google's your friend - there's plenty of tutorials on the web.
Cheers,
--
Raf
http://www.catb.org/~esr/faqs/smart-questions.html
Ansgar Wiechers
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other steps I can take next to further
> increase my security?
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP ;
> iptables -A INPUT -p tcp -m conntrack --ctstate NEW -i eth0 --dport 80
> -j ACCEPT ;
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -j DROP ;
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
If the server is only a web server and you're only worried about inbound
connections, then I'd suggest to just keep the other ports closed (i.e.
don't have any services listening on them) and drop iptables altogether.
Using a packet filter to block inbound traffic is futile if your ports
are already closed. By not using a packet filter you also avoid the risk
of vulnerabilities in the packet filter's code being exploited.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Florian Weimer
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
You should restrict RELATED to ICMP. For TCP and UDP, RELATED can
open up your internal network to the outside world (depending on what
firewall helpers you have loaded).
kj
limit the damage if you get a compromised website.
--kj