On Sun, 14 Jul 2002, Links at Momsview wrote:
> I''m using shorewall for a dedicated internet server and I wanted
to
> enable the following Linux sysctl PROC settings to better protect
> against hackers. I''ve seen these parameters set by many other
firewalls.
> Do you see any problems using any of these?
>
See my comments below.
> What''s the best way to get Shorewall to set them when it starts
(or does
> it do this already?)
It is a general principle with Shorewall that if Shorewall configures
something automatically then it will also give you a way to override those
settings. Given that notion plus the fact that most distributions have
their own mechanism for configuring these parameters (/etc/sysctl.conf in
RH for example), I haven''t felt it necessary to have Shorewall set
these
parameters.
You would set them during Shorewall startup the same way that you make any
extension to Shorewall -- with an extension script
(http://www.shorewall.net/Documentation.htm#Scripts. You can use either
/etc/shoreall/init or /etc/shorewall/start.
> # Don''t respond to pings from a broadcast adress (don''t
participate in smurf attack)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
Fine.
> #Block source routing
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
That''s the default.
> #Kill timestamps.. these have been the subject of a recent bugtraq thread
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>
Ok.
> #Enable SYN cookies (SYN flood protection)
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
Ok for a dedicated server - for a firewall, it more effective to use
Shorewall''s own mechanism for Syn Flood Protection
(http://www.shorewall.net/Documentation.htm#Policy and look at the
LIMIT:BURST column).
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
Fine.
> #Log martians
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
This largely duplicates existing Shorewall functions but won''t hurt
anything.
>
> #Reduce DOS ability by reducing timeouts
>
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
Ok.
I might add that many of the above only affect connections to/from the
Shorewall system itself so while they may be appropriate on a dedicated
server, they wouldn''t have any effect on a firewall that
didn''t open any
TCP ports net->fw.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net