I've had at least one request to post this, so here it is: The firewall
script I'm using at home. It requires some commentary:
It implements a simple security policy: Allow maximum use of the Internet,
while offering the lowest risk of attack from the outside. This is not the
appropriate policy for all situations, so do not blindly assume this is the
script you should use. For example, many places will want to restrict
outgoing traffic; this script does not implement that.
This script does not implement any kind of forwarding/routing.
Now, the trickiest part of any stateless firewall (like IPCHAINS) is usually
DNS. Most things use (or can be told to use) TCP. Some things use UDP, but
at a fixed port (like ICQ). Those you can all work with. The resolver
library (the DNS "client", if you will), however, has to use an arbitrary,
unprivileged port. DNS also really wants to use UDP. Since UDP is stateless,
and the firewall is stateless, there is no easy well to tell a valid DNS reply
from an attack.
Some people solve this problem by using a small number of outside DNS
forwarders, and allowing any packet in claiming to be from port 53 of those
servers. In reality, for present day, this is likely "good enough" for many
people. It also is very easy to implement. However, it does open up a
potential vulnerability. An attacker could forge a packet claiming to be from
one of your name servers, from port 53. The firewall will let that through to
any listening program.
One solution to this is to run a stateful firewall. The 2.4 kernel's
IPTABLES is such a firewall. But the 2.4 kernel has some serious stability
issues, which makes it ill-suited for my needs.
My solution is to run an internal DNS server. The client is configured to
ask the local DNS, which then forwards the queries to my ISP's name servers.
I can configure the name server to listen on a fixed port, and configure the
firewall to only allow DNS replies in to that port. This also provides DNS
caching, which can be a bonus on the slow dialup link I have at home.
Of course, if a vulnerability is discovered in my DNS server, I am open to
attack in that way. Thus it is critical that I keep the DNS sever as secure
as possible. I make sure I am using a current version with no known holes.
I also run the nameserver as an unprivileged process in a chroot jail.
To do this, I am using ISC BIND's named, mainly because I've already put
together a working locked-down configuration for it. Others may want to check
our DJB's "dnscache" program, which comes pre-configured to run this way.
However, it is not Open Source, which may bother some people. Your call.
I also make sure I keep the network software I run up to date. Web
browsers, chat programs, FTP clients, anything that makes a connection to the
outside world may be subverted by malicious content. A firewall is but one
part of keeping your system secure.
I am sure others here have their own scripts, or their own techniques. Or
perhaps they have comments on my own implementation. I would like to
encourage people to speak up on this topic; it is highly relevant and useful
to a large number of people.
Good luck!
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
firewall-internal-named.sh
