| Hangdog42 |
09-16-2010 12:49 PM |
Quote:
Originally Posted by metallica1973
(Post 4099615)
Many thanks for all the responses. How is my firewall looking?
|
To be honest, I'm not sure what I think about your firewall. It is obvious that you've got a pretty complex setup, and without knowing more about what services the machine is supposed to be offering and what you're trying to defend against, I'm not sure I could offer much in the way of practical analysis.
Given the amount in your FORWARD chain, I'm guessing this is acting as some sort of a router or gateway between domains. If this is true, and if we find evidence of a compromise, that could raise the troubling issue of whether or not any of the other systems sharing this network have been infected/attacked.
I'm also not sure I understand what is going on in the OUTPUT chain. It looks like you eventually accept everything heading outbound, so I'm kind of wondering why you don't just set the OUTPUT default to ACCEPT. Unless I'm missing something (always a possibility), no packets ever make it from OUTPUT to the LDROP table.
One thing I will say is that in terms of this potential compromise, I'm not sure the firewall is something to be concerned about. It is clear you have it doing a fair bit of logging, and they may be useful once we have a better picture going on. What this firewall also may do is make it a bit more of an imperative to look at existing services and see if they have been compromised. It might be a bit difficult with this firewall to set up a new service like an IRC server and have it be accessible without changing some rules. |
