Also, it seems if I only allow Related and Established on OUTPUT I cannot access the internet, 90 percent of packets get dropped when I try to connect to anything, but allowing new established allows connection...but also any software would be able to call home.
On Mon, May 23, 2016 at 5:28 PM, Ralph Sanchez <rwsanch...@gmail.com> wrote: > Thanks for the clarification : ) And you didn't confuse the two > explicitly, but i wasn't sure if you were advising allow NEW,RELATED/ > NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I > know. > > I have read through quite a few manuals and online forums, although no > RFCs...I'm not really sure I know what they are even haha. I have > configured myself pretty wall, editing PAM and my sysctl.conf file > rigourously, BIOS passwording and denying USB boots without admin > access to the BIOS, as well as other various activities including > attempting to configure SELinux, which is nigh impossible to do it and > have it have any effect on Jessie right now, at least as far as me and > someone else could find. > > I have noticed that DROP on invalid first actually drops more packets > then simply allowing Established, related...does this imply a packet > can have more then one state?? > > On Mon, May 23, 2016 at 5:20 PM, Einhard Leichtfuß <e...@respiranto.de> wrote: >> On 2016-05-23 22:32, Ralph Sanchez wrote: >>> On Mon, May 23, 2016 at 4:13 PM, <deb...@respiranto.de> wrote: >>>> On 2016-05-23 19:54, Ralph Sanchez wrote: >>>>> Yes, this is a personal laptop. If you notice, I have default POLICY >>>>> as DROP, which means if I don't accept on ports 80 and 443 I can't >>>>> accept HTTPS and HTTP, correct? I'm still learning how all this works, >>>>> but that's what it seemed to me and was explained in other guides and >>>>> tutorials I needed to do. And if I don't ACCEPT there, i dont get any >>>>> web pages whatsoever so. >>>> Whenever you perform an HTTP(S) request, the response should be treated >>>> as RELATED, hence allowing all RELATED inbound traffic should suffice. >>> >>> So, would it be better to not based any outgoing connections of >>> stateful connections and simply just allow it via port, since either >>> way the port is doing to allow both wanted traffic and possible >>> subversion, if malicious software passed the input? Or maybe put the >>> 443 ACCEPT before the stateful filtering, and only allow established >>> state? >> As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in- >> and outbound connections. I might have mixed up RELATED and ESTABLISHED >> at little in the former emails, by the way. Apart from that, you may >> block as much as you want. And I would suggest blocking any other INPUT >> (except for icmp (possibly partly) and lo). But again, if you really >> want to secure your box, take the time to thoroughly read a few manuals >> and possibly even a few RFCs. >>> >>> >>>>> Thanks for the Advice on NEW, I haven't seen much said about it so >>>>> I'll take that advice and just enable RELATED as well, considering >>>>> that solves the biggest problem I had as far as still accessing the >>>>> web. >>>>> >>>>> And as far as blocking outbound, I just don't see any reason to allow >>>>> any more data in or out at any moment then is absolutely needed, and >>>>> it should help mitigate some malicious software calling home even if >>>>> it does get through into my system. >>>> It could still connect via 80,443. However, you are right, your setup >>>> will block those malicious pieces of software, that do not try to use >>>> those (and that do not gain root rights). >>> >>> Yeah, i wasn't sure whether i should leave those options in or just go >>> off stateful...see previous statement. Also, if something gain root >>> rights in my system, then I've got more problems then a faulty >>> firewall. >>> >>>>> Thanks for the reading, that's where I'm heading now : ) >>>