Shorewall users - Mar 2003 - Suggestions ?

Hello,

sorry not to send all that info at once. My study is in progress.

I''m used to make iptables setting by hand, but now when I''ve
found a
link to your soft things will maybe change. But after all, (to be enough 
paranoid :) I''m checking iptables-save output of firewall settings 
generated by Shorewall and here are some things - something like 
suggestions. Maybe you will find them usefull.

1) limit and burst limit for reject with icmp (to prevent ping flooding) 
  + log what exceedes set limits. Use of common limit/burst variable or 
crate separate one

2) two types of dhcp 	- dynamic IP of the firewall''s if (no need for
UDP
ports 67,68 to be open)
			- dhcp server (accept broadcasts and 67:68 open as well)

3) (I have to study real meanings of all that TCP flags combinations, 
here are some more I''ve found in one script. I don''t know if
it make any
sense to use them.)

- tcp flags		- ALL FIN,URG,SYN,RST,ACK
			- ALL ALL
			- ALL NONE
			
4) Use of -m state --state INVALID at the start of chain

5) log limit/burst for logdrop (you know that already) and newnotsyn chain

6) what about setting default policy for netfilter tables to DROP (just 
in case ...) ?

7) what about more detailed info : what iptables commands will issued by 
  which option set ? Maybe some people - like me - will find it usefull. 
And also it would make meaning of some options more clear.

8) more examples of all possible parameter syntax combinations in config 
files (as rules for example). Maybe to create example repository for 
people''s settings packs.


I hope it''s not too much :).

Anyway thanks for your work a I''m sending you greetings from Prague, 
Czech republic.


Dan

Hello Dan,

--On Saturday, March 08, 2003 09:39:34 PM +0100 Dan Bar 
<Daniel.Bar@seznam.cz> wrote:
>
> Hello,
>
> sorry not to send all that info at once. My study is in progress.
>
> I''m used to make iptables setting by hand, but now when
I''ve found a link
> to your soft things will maybe change. But after all, (to be enough
> paranoid :) I''m checking iptables-save output of firewall settings
> generated by Shorewall and here are some things - something like
> suggestions. Maybe you will find them usefull.
>
> 1) limit and burst limit for reject with icmp (to prevent ping flooding)
> + log what exceedes set limits. Use of common limit/burst variable or
> crate separate one
I could offer that as an interface option.
>
> 2) two types of dhcp 	- dynamic IP of the firewall''s if (no need
for UDP
> ports 67,68 to be open)
That''s only true if the fw-><zone of DHCP server> policy is
ACCEPT, no?

			- dhcp server (accept broadcasts and 67:68
> open as well)
This is already handled by the ''dhcp'' interface option.
>
> 3) (I have to study real meanings of all that TCP flags combinations,
> here are some more I''ve found in one script. I don''t know
if it make any
> sense to use them.)
>
> - tcp flags		- ALL FIN,URG,SYN,RST,ACK
> 			- ALL ALL
> 			- ALL NONE
If you set the <tcpflags> interface option then:

a) first two of those is caught by

	run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition

b) The last is already there.
> 			
> 4) Use of -m state --state INVALID at the start of chain
No -- it should at least be deferred until after the RELATED,ESTABLISHED 
test -- but almost everything after that has -m state --state NEW. Not a 
high priority...
>
> 5) log limit/burst for logdrop (you know that already) and newnotsyn chain
Yes, thanks.
>
> 6) what about setting default policy for netfilter tables to DROP (just
> in case ...) ?
Already done.
>
> 7) what about more detailed info : what iptables commands will issued by
> which option set ? Maybe some people - like me - will find it usefull.
> And also it would make meaning of some options more clear.
>
> 8) more examples of all possible parameter syntax combinations in config
> files (as rules for example). Maybe to create example repository for
> people''s settings packs.
>
>
> I hope it''s not too much :).
>
The last two are too much -- unless you are volunteering to maintain such 
documentation...

Thanks!
-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net