Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There really is no reason to make all those rules i.e., 1 2 3 and so forth. They are doing nothing special that could not be handled in INPUT or OUTPUT. I would also question why you are firewalling the OUTPUT chain? Do you not trust your own system? This could lead to services not working as you are blocking something that needs to be open for the system to operate.
I live by the KISS rule and here are my rules:
Code:
/ # iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.15.101/32 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
It is blindly dropping icmp, and therefore breaks e.g. path MTU discovery.
Is PMTU not similar to post office calling every couple of minutes inquiring about dimensions of your mailbox?
They're like, Hi, what is the length of the mailbox slot, what is the height, and what depth? I'm like <click> and I don't even answer calls anymore.
Seriously, I just drop first ask questions later.
Others have helped you with specific firewall rules. I am going to approach your question from a different viewpoint.
First, on becoming 'bullet proof'. You can't and won't. There is a rule of thumb that has yet to be proven wrong: any security system designed by man can be defeated by man. You ignore this at your peril. Security is more a frame of mind than a tool such as a firewall. The firewall is necessary, but is only a tool. Ignoring the rest of a 'security system' can and will be fatal at some point. Saying you want to be 'bullet proof' implies you expect to have a firewall that meets all threats and you no longer have to worry about them. I may have missed something, but I saw no provision for logging. Of course if you are 'bullet proof' I suppose you have no need for logs or to check them to see what is happening, but then how will you know if it has failed at some point or if a new threat has emerged? What is the nature of the threat(s) you are guarding against? What is the source? Personal defense on the battle field changed a bit when firearms started replacing the long bow. Those that missed this fact did not last long. Look at the casualty rates in the American Civil War (AKA the war of northern aggression). Look specifically at Picket's charge at Gettysburg. That question was alluded to in the question about why you are filtering output? Filtering is not necessarily wrong, but is it necessary and does it accomplish anything worthwhile? How much overall performance are you willing to trade for firewall performance? Every rule requires time to process. That time is then not available for doing your actual work. At what point is that a problem? Have you considered port knocking as a security measure in some instances? Could physical security be a problem? Are you doing anything that would bring sophisticated attacks your way like the van sitting outside your location? They do exist, you know. Another factor is the time aspect. A military plan to start an attack at dawn probably needs a different level of security than the national nuclear launch codes. Lets face it, at dawn the enemy will know he is being attacked at dawn so guarding the information may no be longer necessary. Use of comments would also be helpful to those reviewing your firewall as well as to you at a later time (a week from now) when you review it yourself.
The most secure system I know of is a computer that is not connected to the outside world in any way, is in a windowless, doorless room encased in a grounded copper mesh (faraday cage, I believe), powered by a generator that is not connected to the power grid in anyway. etc., etc. I realize there is a problem with this system but it will certainly be secure until somone comes along with a sledge hammer or a stick of dynamite.
The full exercise I refer to may be a pain to do but to ignore it completely is dangerous and makes your firewall efforts of much lesser value.
So then it's more like sewage company calling every couple of minutes, asking about the pipe diameter?
Quote:
Originally Posted by brebs
If there's an MTU mismatch, then it will probably cause intermittently unreliable communication.
I've seen fragmentation, and there wouldn't be a MTU mismatch, if there was a sane default. Sometimes also called a standard MTU of 1500 for ethernet.
What I've also seen is icmp abuse, and generated icmp packets that are spoofed. Otherwise I wouldn't have dropped the entire protocol.
The problem is, the MTU on one side can easily be reduced, e.g. ADSL uses 8 bytes (the ADSL router itself might be altering packets, to work around this problem).
The problem is, the MTU on one side can easily be reduced, e.g. ADSL uses 8 bytes (the ADSL router itself might be altering packets, to work around this problem).
What I understand from your article is when NEW connection is made, certain routing/switching gear may retain the last used MTU value, in the attempt to offload fragmentation to client, rather than reset the MTU value, is that correct?
I get that some gear opens a way for client to set a value of 1 (for example) and it's retained until icmp response, so if another client on the same route does not icmp respond then it's stuck with MTU of 1.
If the gear is smart enough to dynamically adjust MTU according to client spec but not smart enough to clamp MTU to standard value for NEW connections before inquiring about the client-side value, it's a gear/firmware problem.
Expecting every client to open an icmp floodgate in order to work around arbitrary switch limitations, that's just wishful thinking, it'll never work in practice.
And since you've mentioned it, DSL's not reliable by default, with or without PMTU, for example dynamic address picked from the pool may have been previously used by a compromised machine, and is being hit constantly.
If some of your neighbours on the same dslam are infected with windows malware and you get assigned their link after 24H reset, you too will get telnet/vpn/ssh attempts, floods, and hits on 8080 without actually requesting any of them.
sport is the port on the source the packet is coming from. dport is the port on the destination the packet is going to.
From 'man iptables-extensions':
tcp
These extensions can be used if `--protocol tcp' is specified. It provides the following options:
[!] --source-port,--sport port[ort]
Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format first:last. If the
first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. The flag --sport is a convenient alias for this option.
[!] --destination-port,--dport port[ort]
Destination port or port range specification. The flag --dport is a convenient alias for this option.
Nope. You're misunderstanding and/or missing the point so much, that I don't know where to begin. There's countless articles on PMTU Discovery on the Internet. And also e.g. rate-limiting using iptables, rather than "opening the floodgates".
Nope. You're misunderstanding and/or missing the point so much, that I don't know where to begin. There's countless articles on PMTU Discovery on the Internet. And also e.g. rate-limiting using iptables, rather than "opening the floodgates".
So now it's my duty and responsibility to accept and rate limit unsolicited icmp packets, rather than drop them like I have been doing for years?
Apparently, your point is that vendors who want to save CPU cycles on their gear, should be able to offload fragmentation process to my gear.
Forget about it man, it's not going to happen on my LAN. Maybe you think it should, but it won't.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.