Re: [gentoo-user] Is this firewall safe?
On Fri, 2009-04-24 at 16:28 -0500, Chris Frederick wrote: Now I'm also keeping in mind that you are on a laptop with no remote services. If you start allowing services, then that will change things. If clients are going to be connection to you for certain services, you should be more accommodating to them and play nice with the network where possible. I think you're right. I often tend to think in my server/network admin ways. For a notebook - possibly connecting to unknown, public networks, it may be a good idea to stay hidden. segway I would recommend running nmap in crontab if you want to scan your network (look up ndiff on nmap's website). /segway Oh cool - I didn't know about ndiff. Fetching nmap from SVN now... :) What does segway mean? I just found a personal transporter thingy online... P.S. Daniel, no offense taken. I enjoy these debates, it helps us think differently and learn new tricks. If we are not challenged once in a while we get complacent, and that's typically when we start making mistakes. nice :) Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Is this firewall safe?
Marco wrote: On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin freak4u...@gmail.com wrote: Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- eth0 any anywhere anywhereLOG level warning prefix `INPUT ' 179 ACCEPT all -- wlan0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- wlan0 any anywhere anywhereLOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 0 0 LOGall -- anyeth0anywhere anywhereLOG level warning prefix `OUTPUT ' 152 LOGall -- anywlan0 anywhere anywhereLOG level warning prefix `OUTPUT ' snip Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks... Talking about the 1 log line at the bottom you mean I should configure it to not specify an interface (eth0, wlan0)? Thanks! Yeah, not specifying an interface for the log rule to apply to will make it catch all interfaces (including lo but all traffic has already been approved ahead of time so it won't catch).
Re: [gentoo-user] Is this firewall safe?
On Monday 27 April 2009 20:56:07 Daniel Troeder wrote: segway I would recommend running nmap in crontab if you want to scan your network (look up ndiff on nmap's website). /segway Oh cool - I didn't know about ndiff. Fetching nmap from SVN now... :) What does segway mean? I just found a personal transporter thingy online... It's a typo, should have been segue which according to Wikipedia[1] means A segue is a smooth transition from one topic or section to the next. [1]http://en.wikipedia.org/wiki/Segue -- alan dot mckinnon at gmail dot com
[gentoo-user] Is this firewall safe?
Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- eth0 any anywhere anywhereLOG level warning prefix `INPUT ' 179 ACCEPT all -- wlan0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- wlan0 any anywhere anywhereLOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 0 0 LOGall -- anyeth0anywhere anywhereLOG level warning prefix `OUTPUT ' 152 LOGall -- anywlan0 anywhere anywhereLOG level warning prefix `OUTPUT '
Re: [gentoo-user] Is this firewall safe?
Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- eth0 any anywhere anywhereLOG level warning prefix `INPUT ' 179 ACCEPT all -- wlan0 any anywhere anywherestate RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywherereject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywherereject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhereudp spt:bootps 0 0 LOGall -- wlan0 any anywhere anywhereLOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' 0 0 LOGall -- anyany anywhere anywhereLOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 0 0 LOGall -- anyeth0anywhere anywhereLOG level warning prefix `OUTPUT ' 152 LOGall -- anywlan0 anywhere anywhereLOG level warning prefix `OUTPUT ' It all depends on what you're trying to do. My internet facing boxes have a default OUTPUT policy of DROP and I only allow certain traffic off of the box (helps protect me from unauthorized services). Also, you're dropping bootps (same ports as dhcp) on udp so I don't think you can get a dhcp address like that. If you're running any services you won't be able to talk to them (ssh). Turn off forwarding in the kernel config (via /etc/sysctl.conf) as well. It also took me a few runs to figure out the firewall config (due to the rules and formatting). The last two output rules can be combined into one. Have 1 log line at the bottom of your tables and that will take care of that. Clean and short configs will help immensely when things don't work. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Is this firewall safe?
Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt inout source destination ACCEPT all -- loany anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOGall -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- anylo anywhere anywhere ACCEPT all -- anyany anywhere anywhere state RELATED,ESTABLISHED LOGall -- anyany anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris
Re: [gentoo-user] Is this firewall safe?
Just a thought: http://www.fwbuilder.org/ I like how it looks a lot like checkpoint's policy manager. HTH, Hazen. On Fri, Apr 24, 2009 at 1:00 PM, Chris Frederick cdf...@cdf123.net wrote: Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt inout source destination ACCEPT all -- loany anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOGall -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- anylo anywhere anywhere ACCEPT all -- anyany anywhere anywhere state RELATED,ESTABLISHED LOGall -- anyany anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris -- Hazen Valliant-Saunders IT/IS Consultant (613) 355-5977
Re: [gentoo-user] Is this firewall safe?
On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. While all that is correct, I would also consider it bad network behavior (no offense intended). It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do smart stuff(TM) ;) My recommendation is net-firewall/shorewall. It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin freak4u...@gmail.com wrote: Marco wrote: Hi all, I set up my first firewall on my notebook (not running any services reachable from outside) using iptables. Since I am new to the topic, could you please verify if the output of 'iptables -L -v' is considered to be a safe firewall? Thanks! Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- eth0 any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- eth0 any anywhere anywhere reject-with icmp-port-unreachable 0 0 DROP udp -- eth0 any anywhere anywhere udp spt:bootps 0 0 LOG all -- eth0 any anywhere anywhere LOG level warning prefix `INPUT ' 1 79 ACCEPT all -- wlan0 any anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- wlan0 any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- wlan0 any anywhere anywhere reject-with icmp-port-unreachable 0 0 DROP udp -- wlan0 any anywhere anywhere udp spt:bootps 0 0 LOG all -- wlan0 any anywhere anywhere LOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `FORWARD ' 0 0 LOG all -- any any anywhere anywhere LOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any lo anywhere anywhere 0 0 LOG all -- any eth0 anywhere anywhere LOG level warning prefix `OUTPUT ' 1 52 LOG all -- any wlan0 anywhere anywhere LOG level warning prefix `OUTPUT ' It all depends on what you're trying to do. My internet facing boxes have a default OUTPUT policy of DROP and I only allow certain traffic off of the box (helps protect me from unauthorized services). Also, you're dropping bootps (same ports as dhcp) on udp so I don't think you can get a dhcp address like that. If you're running any services you won't be able to talk to them (ssh). Turn off forwarding in the kernel config (via /etc/sysctl.conf) as well. I am dropping bootps to not have my log file flooding due to the DHCP server in my wireless router (as suggested in www.novell.com/coolsolutions/feature/18139.html). As it seems I still get a dynamic ip from it. So far, I am not running any services that have to be exposed to the outside. It also took me a few runs to figure out the firewall config (due to the rules and formatting). The last two output rules can be combined into one. Have 1 log line at the bottom of your tables and that will take care of that. Clean and short configs will help immensely when things don't work. Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks... Talking about the 1 log line at the bottom you mean I should configure it to not specify an interface (eth0, wlan0)? Thanks!
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick cdf...@cdf123.net wrote: Marco wrote: [...] Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. My thought here was to be able to perform some network maintanance task using wireshark. I ave forwarding disabled normally and I could just 'echo 1 /proc/sys/net/ipv4/ip_forward' to have it enabled. Is there anything unsafe about this setup? I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I was following http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml in section 'Handling rejection' of the article. I guess this is kind of a philosophical question here... I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt in out source destination ACCEPT all -- lo any anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `INPUT ' So basically not distinguishing between the external interfaces (eth0, wlan0)? Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- any lo anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. That makes sense! After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Kind of paranoid, yes ;-) [...] Thanks for the tips! -- Regards, Marco
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:05 PM, Hazen Valliant-Saunders haze...@gmail.com wrote: Just a thought: http://www.fwbuilder.org/ I've seen fwbuilder already. I thought since I only need a simple firewall, I probably make the thing worse if I don't really know how to use the tool. And learning iptables is a good thing I guess. In case I'd have to set up some servers, I would of course reconsider fwbuilder. -- Regards, Marco
Re: [gentoo-user] Is this firewall safe?
Hello again, I took your considerations into account and changes my setting. Could you please have look again to the output of 'iptables -L -v' (in the attachment for better formating)? Thanks a lot! -- Best regards, Marco Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 30 18812 ACCEPT all -- !loany anywhere anywhere state RELATED,ESTABLISHED 0 0 REJECT tcp -- !loany anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- !loany anywhere anywhere reject-with icmp-port-unreachable 0 0 LOGall -- !loany anywhere anywhere LOG level warning prefix `INPUT ' Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOGall -- anyany anywhere anywhere LOG level warning prefix `FORWARD ' Chain OUTPUT (policy ACCEPT 33 packets, 6039 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anylo anywhere anywhere 33 6039 LOGall -- any!lo anywhere anywhere LOG level warning prefix `OUTPUT '
Re: [gentoo-user] Is this firewall safe?
On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! Probably it will never be a problem for you, but it could be a problem for a network administrator. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? On a (not so) different topic: If you're going to make your firewall more complex (more services, or other stuff), I'd suggest to use a widely used firewall script. That is more secure than writing your own firewall configuration, because in the long run it will be better maintainable (and they often also do smart stuff(TM) ;) My recommendation is net-firewall/shorewall. It has a well balanced abstraction/granularity-ratio, and the produced iptable-rules are still readable :) This is considered to be my learning example. Later I will definitely consider using shorewall (learning one thing at a time). Thanks! -- Regards, Marco
Re: [gentoo-user] Is this firewall safe?
On Fri, 2009-04-24 at 18:40 +, Marco wrote: On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? Yes :) It feels like security through obscurity. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. Bye, Daniel signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Is this firewall safe?
Daniel Troeder wrote: On Fri, 2009-04-24 at 18:40 +, Marco wrote: On Fri, Apr 24, 2009 at 5:23 PM, Daniel Troeder dan...@admin-box.com wrote: On Fri, 2009-04-24 at 12:00 -0500, Chris Frederick wrote: [...] While all that is correct, I would also consider it bad network behavior (no offense intended). So you consider my 'reject-with' settings to be good practice? Yes :) I'll have to agree and disagree with Daniel on this point. I agree that it is bad network behavior, but the people we are trying to keep out don't stick to using good network behavior, so why should we? There's a number of dirty tricks people use to circumvent firewalls/networks, and I strongly believe that it is better to hide your presence as best as you can on a network. Now I'm also keeping in mind that you are on a laptop with no remote services. If you start allowing services, then that will change things. If clients are going to be connection to you for certain services, you should be more accommodating to them and play nice with the network where possible. This is more of a personal preference thing. It feels like security through obscurity. I agree that it is security through obscurity, but that's not a bad thing. Relying on security through obscurity for protection is a bad thing, but adding a layer of obscurity over a defense in depth strategy is not. It may hamper the well-working of a TCP/IP network, as that relies heavily on ICMP. On a server level, yes. But this is a client with no active/accessible services. A server shouldn't rely on ICMP from a client, but the ICMP packets from the server will be picked up by the RELATED flag on the second rule, allowing the client to see the ICMP error from the server. I was not really sure how to configure ICMP (ping) correctly. Any input appreciated! That is really difficult, because ICMP is a family of lots of protocols, from which ping is just one. Others are important too, like telling routers/hosts about network congestion, and so on... I don't feel competent enough to give directions. I do always allow ping, as this is needed in a server environment to check for uptime, but your case may be different. I agree with Daniel again. Unless you know what you are doing, blocking ICMP is just going to cause problems. And I would argue that iptables is not the tool to use, even if you know what you are doing. If you really want to filter your ICMP packets, look to /proc/sys/net/ipv4/. The kernel will give you some nice options that are a lot safer that an iptables rule. Also: if you wish to scan (nmap) yourself to check your system (configuration), you'll wish for REJECT instead of DROP :) You mean as the default policy? Yes, and also everywhere you use DROP. It's just, that you'll have to wait less for timeouts, when connecting to a closed port. segway I would recommend running nmap in crontab if you want to scan your network (look up ndiff on nmap's website). /segway If you decide to go with DROP, then you could make it globally switchable in your script, to change between testing and production environment/situation. This is great advice. You may not benefit much from it now with this small script, but as it grows, you really want to keep this in mind. If you modularize your tables, you can turn them on and off with a single insert/delete rather than trying to insert/delete large blocks from the rules, or worse, reloading the whole rule set. Chris P.S. Daniel, no offense taken. I enjoy these debates, it helps us think differently and learn new tricks. If we are not challenged once in a while we get complacent, and that's typically when we start making mistakes.