iptables - drop all -> allow needed OR allow all -> drop specific
Just wondering what people think the best approach is to firewall setups on a basic level.
Do people recommend dropping all in,out and forward packets then allowing only the services that need access to external or internal networks? Or it is quite ok to allow all and just block or drop connections to sensitive ports that do not need to be exposed to the external network?
At first glance they would seem to have the same effect. But, the first one would be more secure, I suppose, if someone managed to compromise your machine and open a backdoor that say listened on port 30000 or whatever then at least all outgoing and incoming connections to this service would be blocked, unless of course the intruder changed your iptables rule set.
Thanks in advance.
Usually dropping all and allowing only selected services is going to be the more secure option. That being said, it's entire possible to use a default of allow all and have it be equally secure, but it is much more difficult to determine what types of attacks/malicious traffic you'll need to block. This is because with an allow all policy, you'll have to define these types of traffic beforehand. For the novice user, this can be a extremely difficult task (ie should I allow SYN packets? SYN ACK? SYN RST? SYN URG PSH?!). So it is much easier to miss a critical rule and thereby open up your firewall (and even worse, not realize there is a gaping hole).
With a deny by default firewall, you can identify the rules you'll need more easily (look at the docs and see how the protocol works), they usually require less rules overall, and if you miss a critical rule it's usually much more apparent (you break some networking function). The downside to deny by default is that it usually requires more tweaking early on in order to allow the traffic you need (they tend to fail closed).
However, with either scenario a single miss-placed rule can open your system up to attack. So it's an absolute requirement to thoroughly test out a firewall script to see if it's doing what you think it should. In practice the allow all defaults tend to have more of a "oops, I forgot about that" -factor than the deny all scripts.
Ideally it's best to use drop policies on all three chains, but often people use an allow all policy on the OUTPUT chain because it makes configuration more easy (don't have to worry about basic networking requirements like DNS, DHCP, ping, etc). Also in most cases, you shouldn't see malicious outbound traffic, unless of course if an internal host is compromised, in which case having drop output policies can act as a final line of defenses and prevent a compromised machine from "connecting out" or attacking other machines.
To add to the wonderful clarification (it is ...)
Dropping all but a few has indeed the advantage of you knowing what you want to do... you KNOW you want HTTP, so you can open that port... you KNOW you want ftp, so you can open THAT port.... The other way around doesn't work as well... imagine: I KNOW I DON'T want blahblah... well, lots to think of...
Also... indeed a lot of iptables firewalls have the OUTPUT to be open.. having a tight INPUT gives best protection.. if you fully trust the local machine (the iptables machine), the OUTPUT could be set open... this together with a State RELATED,ESTABLISHED on the INPUT chain grants communication initiated by the local machine..
It really depends on what you want... there are two solution thoughts...:
- Security first, drop all but a few. I don't want anything to happen that I don't know of. Any service run on your local network isn't exposed until YOU say so.
- Ease of setup, allow but a few.. I don't want (lots of) administration about what port to open.. it needs to route my traffic, and security isn't that important.. I don't have any services opened anyways.
Hopes this adds some sense... :)
Thanks for the replies!
Personally prefer the DROP all option, and then simply defining what ports/services you want to allow connections out to - as a simple example to allow outbound connections to 80 & 443:
Oh.. I forgot something...
When you do choose for 'drop but a few' method, put a LOG entry just before you drop...
If you drop by policy, do the log entry as the very last, if you drop explicitly by a rule, put the log JUST before that one....
This way, if something is not working right, you can check the logs for packets that didn't come through. needs some practise to read them well, but it helps out in these situations...
|All times are GMT -5. The time now is 04:32 PM.|