Rob, 2009/11/2 Robert Collins <[email protected]>
> On Mon, 2009-11-02 at 16:28 +1100, Daniel Bush wrote: > > I was following Rick's recent post about penetration testing with some > > interest. I'm looking at complying with anz e-gate for e-commerce > > transactions. ANZ has this declaration form for internet sites that you > > have to sign. One of the tick boxes says "Do you operate a firewall that > is > > regularly updated?" > > > > I have an iptables firewall which basically blocks all ip6 and all ip4 > > except for a couple of ports I expose to the internet. I don't see why I > > need to update it "regularly". > > Two primary reasons: > - iptables is not bug free. Few and far between, but not empty-of-bugs. > I mean updating the rules you use to filter packets not maintaining the software that does the filtering. Is that what you mean here? Maybe that's what this tick box means. I didn't think of that. I just assumed they're were talking about the filtering rules... > - ip4 and ip6 are not 'finished'. Every now and then a new RFC or even > std is released, and you need to update your firewall and routing rules > accordingly. (e.g. the nonroutable address space changes over time, so > you need to update your rules accordingly). > Must still be missing something here Rob. I just block everything except for the services I run on the public interface (and stuff on the internal loopback interface / localhost). Why do I need to worry about non-routables? > > Even if those two points didn't matter, if you admin the firewall using > ssh, and sshd has a bug permitting remote compromise, you'd be remiss > not to update that. > > I think this is a software update issue. As before I'm wondering if that is what the tick box meant. What confuses me is that I would have that as a separate tick box in itself, something like "do you regularly patch/maintain security updates for your software, especially firewall and related security systems?" That is not the issue I thought the tick box was addressing. I may be reading you all wrong here though :( > So, its an important checkbox, and if you're not maintaining your > firewall, don't tick it! (Worse still, if you think deny-all + a couple > of permits == correctly setup firewall - you need about 15 rules I > think, for a _minimally_ conformant firewall [that is, not in violation > of parts of the IP stack]). Ok, now you're worrying me. For a simple set up where you have an isolated box running a webserver and ssh: I have a default drop policy on all tables; a catch-all drop rule that logs certain things; I have some stateful rules so that I can talk to the outside world and several open ports on specified interface for tcp protocol where I am exposing services to the outside world. If the default is to drop everything except a specific set of ports on a specific interface using a specific transport why do I have to twiddle with these rules? Surely the only area of concern is the established/related stateful rules Is that what you mean? Are you reviewing the stateful part of your packet filtering firewall every week because you're worried it could get spoofed or something? If so, what is your strategy here and does it result in some sort of regular update? Or do you have default policy of accept which means you have to worry about closing stuff down all the time? I've always assumed drop so I don't even want to begin to think about the alternative. > Keeping on top of the whole mess is what is > implied by 'regularly updated', not turning on some vendor software-sync > button and forgetting about it. > > hm; as per my above comments. I'm pretty paranoid about my firewall. -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
