I am setting up a firewall for home use. Behind the firewall will only sit one (maybe two) computers. My firewall box is running a 2.2.19 kernel with ipchains. I have been setting up my ipchains ruleset using Robert Ziegler's Linux Firewalls book as a guide. I have two questions:
1) What are people's thoughts on this book? Are there any mistakes that people have found? Any suggestions in the sample rulesets that people might disagree with?
Dunno, haven't read it...
2) More to the point, Ziegler suggests setting the input, output, and forward default policies to DENY and then decide what to allow through. It has dawned on me that I can make my rules MUCH simpler by setting the output chain's default policy to ACCEPT and remove all of the output rules from the script since philosophically I don't have any interest or desire to limit what my family members do on the net. As long as I filter out incoming traffic that I deem dangerous, is there anything to fear from having the output default policy set to ACCEPT? Or am I missing something obvious?
Although a couple of folks have previously advised that a default ACCEPT policy on the output chain is "better", I tend to disagree. Of course, it's hard to argue against having a default DENY policy on the input/forward chains, but the reason for having that on the output is to increase your awareness of anything suspicious going on. For instance, I had a user-administered system sitting outside our firewall come up with an IRC robot due to a DNS-based crack. Of course, port 53 was allowed into the system so it could make DNS queries. However, if I'd suddenly seen port 6667 traffic trying to leave the system (the usual IRC port) I'd have known something funny was going on. Only after the box was turned into skript-kiddie scanner and I received a few polite notifications did I realize there was a problem and take steps to rectify.
Yes, having a default DENY on the output chain is a bit more work, but it also allows you to do a daily audit of possible problems. It all depends on your determined security stance.
-- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED]
- This Space Intentionally Left Blank -
