Re: [gentoo-user] Is this firewall safe?

Fri, 24 Apr 2009 10:05:29 -0700 

Just a thought:

http://www.fwbuilder.org/

I like how it looks "a lot" like checkpoint's policy manager.

HTH,
Hazen.
On Fri, Apr 24, 2009 at 1:00 PM, Chris Frederick <cdf...@cdf123.net> wrote:

> Marco wrote:
> > Hi all,
> >
> > I set up my first firewall on my notebook (not running any services
> > reachable from outside) using iptables. Since I am new to the topic,
> > could you please verify if the output of 'iptables -L -v' is
> > considered to be a safe firewall? Thanks!
> >
>
> Hi Marco,
>
> Your firewall looks good, but I would change a few things.
>
> First off, change your FORWARD chain to DROP.  Unless you are doing
> routing on your laptop, there's no reason to have it.
>
> I would also get rid of the REJECT targets.  It's better to DROP
> instead.  If someone is scanning the network, and you start sending icmp
> rejections back, they will know you are there and may try other
> techniques to break through your defenses, but if you DROP and send
> nothing back, it will be much harder for them to see you at all.
>
> I would also re-write your INPUT chain to be a bit less verbose.
> Something like this:
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> target     prot opt in    out     source   destination
> ACCEPT     all  --  lo    any     anywhere anywhere
> ACCEPT     all  --  any   any     anywhere anywhere   state
> RELATED,ESTABLISHED
> LOG        all  --  any   any     anywhere anywhere   LOG level warning
> prefix `INPUT   '
>
> Everything else looks good from a security standpoint.  From a
> performance standpoint, you might want to add a line to the beginning of
> your output chain like this:
>
> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
> target     prot opt in     out     source   destination
> ACCEPT     all  --  any    lo      anywhere anywhere
> ACCEPT     all  --  any    any     anywhere anywhere  state
> RELATED,ESTABLISHED
> LOG        all  --  any    any     anywhere anywhere  LOG level warning
> prefix `OUTPUT  '
>
> This will log only NEW packets.  Otherwise you could end up with a lot
> of log output.
>
> After you run this for a while, go back and look through your logs and
> see if you have enough data there to change your OUTPUT chain to DROP,
> and only allow packets through to ports you actually use.  That's only
> if you're really paranoid though.
>
> Hope that helps.
>
> Chris
>
>


-- 
Hazen Valliant-Saunders
IT/IS Consultant
(613) 355-5977

Reply via email to