[olug] Building a Hellacious Firewall
Jason Ferguson
jferguson3 at home.com
Tue Jun 26 21:33:23 UTC 2001
Okay, iptables isnt tough:
iptables -A INPUT --source (addy-of-bad-guy) -J LOG
iptables -A INPUT --source (same-addy) -J DROP
Or something like that.
However, we talk so much about the HOW to firewall, with ipchains or
iptables, that we miss what I feel is even more important... WHAT to
firewall.
Now, for example... Ive heard it said that AUTH (usually port 113, check
your /etc/services) is a security risk to run: it lets people gather
info about your computer. However, try connecting to IRC without it...
you wont get far. Solution: deny AUTH requests from anyone besides the
IRC servers. Just LOG all of your requests for awhile to get the IP
address of the servers, then modify your rules. Same goes for any one
the other services; firewalls can block access to your services except
for select IP addresses. This could allow something as bad as TELNET on
your internal network without being angerous to the outside (gotta be
careful of spoofing, of course).
I prefer to build my firewall script myself, rather than use some
generator program. This is because if you just use a generator, do you
REALLY know what you're blocking and/or allowing? Probably not.
IPTABLES brings new stuff to the table. I personally dont know how to
use things like MARK. So, to get to the point of this email (finally),
can some of the old pros here share some of their experience in the art
of building firewalls rather than the science?
Jason
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list