Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
A really simple firewall. Is it safe?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SuzieC
n00b
n00b


Joined: 19 Aug 2004
Posts: 8

PostPosted: Thu Aug 19, 2004 12:44 pm    Post subject: A really simple firewall. Is it safe? Reply with quote

Hi,

I just installed Gentoo for the first time, and thanks to the incredible documentation it was much easier than I'd expected and everything went smoothly. That is, up to the point where I wanted to set up a firewall.

This is just a desktop machine, no web server, no mail server, no LAN, noone but me has an account on it,but I want to be able to ssh in and I've got broadband, so in the end this is what I did: (after emerging iptables etc)

iptables -A INPUT --protocol icmp -j ACCEPT
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -j DROP

---

and that was it.

So now I can ssh to or ping my machine, and everything else is blocked.

But, to figure out how to do this, I had to read through loads of stuff about setting up firewalls with NAT, masquerading, DHCP and whatever, with lots of info for using Apache, mail servers, public ftp servers and probably other things too, with FORWARD and OUTPUT chains which as far as I can see are completely irrelevant to a network consisting of one computer with one user, and which all looked so much more comlicated than I need that I would never have bothered to set up a firewall myself (and learned something in the process) if kmyfirewall had worked (which is another story...)

So my questions are:

Is the incredibly simple firewall I set up with 3 commands safe to use? Or is there some reason why I should be afraid to leave my computer connected to the 'net? (assuming I hae a sensible password and don't allow ssh root login)

And shouldn't there be instructions on how to set up a very basic firewall like this in the gentoo docs somewhere, so newbies don't thiink that setting up a firewall is too complicated and give up?
_________________
Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life.
Back to top
View user's profile Send private message
spudicus
Apprentice
Apprentice


Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia

PostPosted: Thu Aug 19, 2004 1:16 pm    Post subject: Reply with quote

Personally, I prefer to set the chains to block by default (and I'm more restrictive on what ICMP I allow but that's OT). Also, I allow my loopback device uninhibited access e.g.
Code:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT  #Good netiquette suggests this should also be drop
iptables -P FORWARD DROP

iptables -F  #Flush all rules
iptables -X  #Delete any chains

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Logging is a good idea, as are utilising some of the switches available in /proc/sys/net/
Back to top
View user's profile Send private message
SuzieC
n00b
n00b


Joined: 19 Aug 2004
Posts: 8

PostPosted: Thu Aug 19, 2004 1:54 pm    Post subject: Reply with quote

correction, the 3rd line of code in my post should have been

iptables -A INPUT -i etho -m state --state NEW,INVALID -j DROP
(I missed out the "-i eth0")

so that loopback device has uninhibited access like spudicus says (since the default is ACCEPT).
_________________
Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life.
Back to top
View user's profile Send private message
dannycool
Tux's lil' helper
Tux's lil' helper


Joined: 13 Aug 2004
Posts: 111
Location: Karlsruhe Germany

PostPosted: Thu Aug 19, 2004 2:04 pm    Post subject: Reply with quote

It should protect you from everything coming from the internet, but not against malicious software you run. Also, there's been some ssh scanning going on for about a month, and people are suggesting to not run sshd on port 22 if you don't explicitly require it on port 22. A good alternative to 22 is 443, because most http proxies will allow CONNECT to port 443 since they aren't supposed to decrypt https traffic :) Also, you could consider only allowing your user account ssh access (AllowUsers directive in sshd_config) so that if some setup script decides to install extra accounts with a well-known default password, they can't be used to log in over ssh.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20589

PostPosted: Thu Aug 19, 2004 2:11 pm    Post subject: Reply with quote

Moved from Documentation, Tips & Tricks.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum