I haven't (yet) set up a linux firewall, but when I was doing CISCOs, & doing
security, the basic rules of setup was:
1. never run anything except the firewall software on the firewall
2. First, deny EVERYTHING. This enables you to have the default rule of
nothing, and confirm you've turned everything off.
3. Turn logging on, preferably through a one-way connection.
4. One service at a time, turn on what you want to allow through. One at a
time so you can check each one, ensure that it does what you want.
5. when you've got the setup you want, burn a copy of it, to allow you to
restore.
jeff smith
"Karl J. Runge" <[EMAIL PROTECTED]> on 03/21/2000 12:34:09 PM
To: [EMAIL PROTECTED]
cc: (bcc: Jeffry Smith/CORP/HPHC)
Subject: Re: Home Network
Hi Rich,
On Tue, 21 Mar 2000, Rich Payne <[EMAIL PROTECTED]> wrote:
> Yup, FWIW I actually run IMAP on my firewall box, however I've told
> ipchains not to allow any external connections on that port. So Imap/pop
> are usuable inside the house, but nobody on the outside can get to them.
Yes, I do similar things (including rsh!).
I guess what I am advocating/emphasizing (not to you, but to people
considering setting up a home LAN + firewall) is to make sure the
*default* is to deny all incoming TCP connections.
More specifically, for an incoming packet on ANY port: if proto=TCP and SYN=1
then deny the packet. (except, possibly, for a handful of services you want
to provide to the internet, which are explicitly allowed in earlier rules)
Extra protection may be added to the sensitive ports (or even all < 1024)
for incoming packets with proto=TCP and SYN=0.
Just my $0.02.
Karl Runge
BTW, to define terms: the SYN bit in a tcp packet is set to 1 for the
first packet establishing the connection, and then is 0 for the rest of
the connection. I believe it is short for "synchronize" the bytes'
sequence counters.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
