View previous topic :: View next topic |
Author |
Message |
SuzieC n00b


Joined: 19 Aug 2004 Posts: 8
|
Posted: Thu Aug 19, 2004 12:44 pm Post subject: A really simple firewall. Is it safe? |
|
|
Hi,
I just installed Gentoo for the first time, and thanks to the incredible documentation it was much easier than I'd expected and everything went smoothly. That is, up to the point where I wanted to set up a firewall.
This is just a desktop machine, no web server, no mail server, no LAN, noone but me has an account on it,but I want to be able to ssh in and I've got broadband, so in the end this is what I did: (after emerging iptables etc)
iptables -A INPUT --protocol icmp -j ACCEPT
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -j DROP
---
and that was it.
So now I can ssh to or ping my machine, and everything else is blocked.
But, to figure out how to do this, I had to read through loads of stuff about setting up firewalls with NAT, masquerading, DHCP and whatever, with lots of info for using Apache, mail servers, public ftp servers and probably other things too, with FORWARD and OUTPUT chains which as far as I can see are completely irrelevant to a network consisting of one computer with one user, and which all looked so much more comlicated than I need that I would never have bothered to set up a firewall myself (and learned something in the process) if kmyfirewall had worked (which is another story...)
So my questions are:
Is the incredibly simple firewall I set up with 3 commands safe to use? Or is there some reason why I should be afraid to leave my computer connected to the 'net? (assuming I hae a sensible password and don't allow ssh root login)
And shouldn't there be instructions on how to set up a very basic firewall like this in the gentoo docs somewhere, so newbies don't thiink that setting up a firewall is too complicated and give up? _________________ Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life. |
|
Back to top |
|
 |
spudicus Apprentice


Joined: 05 Dec 2002 Posts: 177 Location: Geraldton, Australia
|
Posted: Thu Aug 19, 2004 1:16 pm Post subject: |
|
|
Personally, I prefer to set the chains to block by default (and I'm more restrictive on what ICMP I allow but that's OT). Also, I allow my loopback device uninhibited access e.g. Code: |
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT #Good netiquette suggests this should also be drop
iptables -P FORWARD DROP
iptables -F #Flush all rules
iptables -X #Delete any chains
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT |
Logging is a good idea, as are utilising some of the switches available in /proc/sys/net/ |
|
Back to top |
|
 |
SuzieC n00b


Joined: 19 Aug 2004 Posts: 8
|
Posted: Thu Aug 19, 2004 1:54 pm Post subject: |
|
|
correction, the 3rd line of code in my post should have been
iptables -A INPUT -i etho -m state --state NEW,INVALID -j DROP
(I missed out the "-i eth0")
so that loopback device has uninhibited access like spudicus says (since the default is ACCEPT). _________________ Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life. |
|
Back to top |
|
 |
dannycool Tux's lil' helper


Joined: 13 Aug 2004 Posts: 111 Location: Karlsruhe Germany
|
Posted: Thu Aug 19, 2004 2:04 pm Post subject: |
|
|
It should protect you from everything coming from the internet, but not against malicious software you run. Also, there's been some ssh scanning going on for about a month, and people are suggesting to not run sshd on port 22 if you don't explicitly require it on port 22. A good alternative to 22 is 443, because most http proxies will allow CONNECT to port 443 since they aren't supposed to decrypt https traffic Also, you could consider only allowing your user account ssh access (AllowUsers directive in sshd_config) so that if some setup script decides to install extra accounts with a well-known default password, they can't be used to log in over ssh. |
|
Back to top |
|
 |
pjp Administrator


Joined: 16 Apr 2002 Posts: 20589
|
Posted: Thu Aug 19, 2004 2:11 pm Post subject: |
|
|
Moved from Documentation, Tips & Tricks. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|