Hi, i would like to read opinions about my firewall settings: I am using Iptables with Shorewall (frontend) and my configuration is: - Default Policy: REJECT all connections. - Rules: Allow DNS (my DNS servers), allow http and https connections for servers: www.google.es, ... So, nobody except these servers can connect with me (inbound and outbound). This type of configuration is secure? How could they attack me? Thank you very much, i appreciate your help.
2008/11/10 Manuel Gomez <mgdpz1@gmail.com>> Hi, i would like to read opinions about my firewall settings: > I am using Iptables with Shorewall (frontend) and my configuration is: > - Default Policy: REJECT all connections. > - Rules: Allow DNS (my DNS servers), allow http and https connections for > servers: www.google.es, ... > So, nobody except these servers can connect with me (inbound and outbound). > This type of configuration is secure? How could they attack me?By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.
2008/11/10 Sam Kuper <sam.kuper@uclmail.net>> By using REJECT instead of DROP, you have no stealth. This means you can be > port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, > etc. >That said, if SSH traffic is blocked, an OpenSSH vuln. might not be significant. If you''re allowing and inbound traffic, though, any unpatched flaws in the app servicing that inbound traffic could expose your system to attack. Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS attacks. Consider using a default (LOG and) DROP policy instead. Michael Rash''s site (www.cipherdyne.org) has some good resources for learning about this and implementing it.
Manuel Gomez wrote:> Hi, i would like to read opinions about my firewall settings:Please STOP CROSS-POSTING. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Manuel Gomez
2008-Nov-10 20:35 UTC
Re: About my Firewall Settings - I would like an opinion
Sam Kuper escribió:> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net > <mailto:sam.kuper@uclmail.net>> > > By using REJECT instead of DROP, you have no stealth. This means > you can be port-scanned to look for weaknesses, e.g. unpatched > OpenSSH vulnerabilities, etc. > > > That said, if SSH traffic is blocked, an OpenSSH vuln. might not be > significant. If you're allowing and inbound traffic, though, any > unpatched flaws in the app servicing that inbound traffic could expose > your system to attack. > > Also, by REJECTing rather than DROPping, you might be more vulnerable > to DoS attacks. > > Consider using a default (LOG and) DROP policy instead. Michael Rash's > site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good > resources for learning about this and implementing it.Ok, i have set default policy in DROP. What more could I do? Thank you very much. -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Manuel Gomez
2008-Nov-10 20:37 UTC
Re: About my Firewall Settings - I would like an opinion
Sam Kuper escribió:> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net > <mailto:sam.kuper@uclmail.net>> > > By using REJECT instead of DROP, you have no stealth. This means > you can be port-scanned to look for weaknesses, e.g. unpatched > OpenSSH vulnerabilities, etc. > > > That said, if SSH traffic is blocked, an OpenSSH vuln. might not be > significant. If you're allowing and inbound traffic, though, any > unpatched flaws in the app servicing that inbound traffic could expose > your system to attack. > > Also, by REJECTing rather than DROPping, you might be more vulnerable > to DoS attacks. > > Consider using a default (LOG and) DROP policy instead. Michael Rash's > site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good > resources for learning about this and implementing it.Ok, i have set default policy in DROP. What more could I do? Thank you very much. -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Manuel Gomez
2008-Nov-10 20:41 UTC
Re: About my Firewall Settings - I would like an opinion
Sam Kuper escribió:> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net > <mailto:sam.kuper@uclmail.net>> > > By using REJECT instead of DROP, you have no stealth. This means > you can be port-scanned to look for weaknesses, e.g. unpatched > OpenSSH vulnerabilities, etc. > > > That said, if SSH traffic is blocked, an OpenSSH vuln. might not be > significant. If you're allowing and inbound traffic, though, any > unpatched flaws in the app servicing that inbound traffic could expose > your system to attack. > > Also, by REJECTing rather than DROPping, you might be more vulnerable > to DoS attacks. > > Consider using a default (LOG and) DROP policy instead. Michael Rash's > site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good > resources for learning about this and implementing it.I have set the default policy in DROP. What more could i do? Thank you very much, i appreciate your help. -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users