Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
![Reply](https://www.linuxquestions.org/questions/images/buttons/reply.gif) |
12-21-2004, 12:52 AM
|
#1
|
Member
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202
Rep:
|
iptables - drop all -> allow needed OR allow all -> drop specific
Hi All,
Just wondering what people think the best approach is to firewall setups on a basic level.
Do people recommend dropping all in,out and forward packets then allowing only the services that need access to external or internal networks? Or it is quite ok to allow all and just block or drop connections to sensitive ports that do not need to be exposed to the external network?
At first glance they would seem to have the same effect. But, the first one would be more secure, I suppose, if someone managed to compromise your machine and open a backdoor that say listened on port 30000 or whatever then at least all outgoing and incoming connections to this service would be blocked, unless of course the intruder changed your iptables rule set.
Thanks in advance.
|
|
|
12-21-2004, 02:12 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Usually dropping all and allowing only selected services is going to be the more secure option. That being said, it's entire possible to use a default of allow all and have it be equally secure, but it is much more difficult to determine what types of attacks/malicious traffic you'll need to block. This is because with an allow all policy, you'll have to define these types of traffic beforehand. For the novice user, this can be a extremely difficult task (ie should I allow SYN packets? SYN ACK? SYN RST? SYN URG PSH?!). So it is much easier to miss a critical rule and thereby open up your firewall (and even worse, not realize there is a gaping hole).
With a deny by default firewall, you can identify the rules you'll need more easily (look at the docs and see how the protocol works), they usually require less rules overall, and if you miss a critical rule it's usually much more apparent (you break some networking function). The downside to deny by default is that it usually requires more tweaking early on in order to allow the traffic you need (they tend to fail closed).
However, with either scenario a single miss-placed rule can open your system up to attack. So it's an absolute requirement to thoroughly test out a firewall script to see if it's doing what you think it should. In practice the allow all defaults tend to have more of a "oops, I forgot about that" -factor than the deny all scripts.
Ideally it's best to use drop policies on all three chains, but often people use an allow all policy on the OUTPUT chain because it makes configuration more easy (don't have to worry about basic networking requirements like DNS, DHCP, ping, etc). Also in most cases, you shouldn't see malicious outbound traffic, unless of course if an internal host is compromised, in which case having drop output policies can act as a final line of defenses and prevent a compromised machine from "connecting out" or attacking other machines.
|
|
|
12-21-2004, 02:50 AM
|
#3
|
Member
Registered: Aug 2004
Location: The Netherlands
Distribution: RedHat 2, 3, 4, 5, Fedora, SuSE, Gentoo
Posts: 372
Rep:
|
To add to the wonderful clarification (it is ...)
Dropping all but a few has indeed the advantage of you knowing what you want to do... you KNOW you want HTTP, so you can open that port... you KNOW you want ftp, so you can open THAT port.... The other way around doesn't work as well... imagine: I KNOW I DON'T want blahblah... well, lots to think of...
Also... indeed a lot of iptables firewalls have the OUTPUT to be open.. having a tight INPUT gives best protection.. if you fully trust the local machine (the iptables machine), the OUTPUT could be set open... this together with a State RELATED,ESTABLISHED on the INPUT chain grants communication initiated by the local machine..
It really depends on what you want... there are two solution thoughts...:
- Security first, drop all but a few. I don't want anything to happen that I don't know of. Any service run on your local network isn't exposed until YOU say so.
- Ease of setup, allow but a few.. I don't want (lots of) administration about what port to open.. it needs to route my traffic, and security isn't that important.. I don't have any services opened anyways.
Hopes this adds some sense... ![Smilie](https://www.linuxquestions.org/questions/images/smilies/smile.gif)
Last edited by rhoekstra; 12-21-2004 at 02:51 AM.
|
|
|
12-21-2004, 03:00 AM
|
#4
|
Member
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202
Original Poster
Rep:
|
Thanks for the replies!
|
|
|
12-21-2004, 03:05 AM
|
#5
|
Senior Member
Registered: Jun 2003
Distribution: Debian/other
Posts: 2,104
Rep:
|
Personally prefer the DROP all option, and then simply defining what ports/services you want to allow connections out to - as a simple example to allow outbound connections to 80 & 443:
Code:
#!/bin/bash
iptables --flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Last edited by Skyline; 12-21-2004 at 03:17 AM.
|
|
|
12-21-2004, 03:07 AM
|
#6
|
Member
Registered: Aug 2004
Location: The Netherlands
Distribution: RedHat 2, 3, 4, 5, Fedora, SuSE, Gentoo
Posts: 372
Rep:
|
Logging!
Oh.. I forgot something...
When you do choose for 'drop but a few' method, put a LOG entry just before you drop...
If you drop by policy, do the log entry as the very last, if you drop explicitly by a rule, put the log JUST before that one....
This way, if something is not working right, you can check the logs for packets that didn't come through. needs some practise to read them well, but it helps out in these situations...
|
|
|
All times are GMT -5. The time now is 06:54 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|