LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-03-2003, 02:03 PM   #1
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Rep: Reputation: 15
Question Is router plus stateful firewall enough?


Hi,

I recently bought a D-Link router and have

| DSLModem | --> | router | ---> rh9
.........................................|____________XP

On rh9 I boot with a modified version of lokkit where only ESTABLISHED,RELATED connections are allowed (exceptions - see note * ). Default policy for INPUT and FORWARD is DROP.

Do I need to embellish this firewall with, say, fragment blocking -
iptables -I INPUT 2 -i eth0 -f -j DROP

and checking for a "Sync bit " flood of packets-
iptables -N syn-flood
iptables -I INPUT 3 -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP


Pre-router I thought these things necessary as I was coming straight into eth0 from the DSL modem.

At the present time I don't do anything more than surf and get e-mail on this machine.

On the XP box I enabled the "stateful firewall" they have built in although I don't know exactly how it works (and it doesn't appear to allow much customization).

D-Link Dl-704P / Compaq w/AMD K6-2 533Mhz
kernel 2.4.20-20.9 (rh modified)

* - NOTE allow router port 67 -> 68 for dhcp, plus your usual loopback stuff. also allow any udp packets from port 53 on my provider's nameservers.

TIA
johnny
 
Old 10-03-2003, 11:31 PM   #2
ezra143
Member
 
Registered: Aug 2003
Location: NY
Distribution: RH9, RH8, Slack, Vector
Posts: 497

Rep: Reputation: 31
you should be fine. Your more protected than most.
 
Old 10-04-2003, 05:56 AM   #3
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
* - NOTE allow router port 67 -> 68 for dhcp, plus your usual loopback stuff. also allow any udp packets from port 53 on my provider's nameservers.

You don't need to open any ports on the DI704P. It will negotiate the dhcp with your ISP and will get the nameserver IP's automatically when you select dynamic IP. Just set up your RH box with the default gateway of 192.168.0.1

Also don't forget to upgrade periodically.
 
Old 10-04-2003, 09:22 AM   #4
jxi
Member
 
Registered: Feb 2003
Location: Richmond VA
Distribution: Slackware 11 -- CentOS 4.4
Posts: 115

Original Poster
Rep: Reputation: 15
Thanks everyone -
Yes the router setup does appear much safer than directly ISP->eth0

I log all new connection attempts - guess thats SYN not established or SYN not ACK,RST - anyway Pre-router days was constantly getting requests for ports like 135 137(probably normal) 139 445 plus any number of > 1024 ports. Now I see none of that on the client (i.e. rh9) box.

regards johnny
Zippy sez " Are the _stewed prunes_ still in the _hair dryer_ ?? "
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 06:12 AM
Is iptables/netfilter stateful inspection firewall ? newbieA Linux - Security 3 02-11-2005 09:32 PM
Stateful Packet Inspection Firewall (How could I tell)?? wardialer Linux - Security 9 02-10-2005 10:11 PM
Mandrake Firewall/router networked to US Robotics 8000A router jrzplace Linux - Networking 0 11-17-2003 05:48 PM
stateful packet inspection estranged0877 Linux - Security 1 01-28-2003 07:05 PM


All times are GMT -5. The time now is 01:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration