A really simple firewall. Is it safe?

[SuzieC]

Hi,

I just installed Gentoo for the first time, and thanks to the incredible documentation it was much easier than I'd expected and everything went smoothly. That is, up to the point where I wanted to set up a firewall.

This is just a desktop machine, no web server, no mail server, no LAN, noone but me has an account on it,but I want to be able to ssh in and I've got broadband, so in the end this is what I did: (after emerging iptables etc)

iptables -A INPUT --protocol icmp -j ACCEPT
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -j DROP

---

and that was it.

So now I can ssh to or ping my machine, and everything else is blocked.

But, to figure out how to do this, I had to read through loads of stuff about setting up firewalls with NAT, masquerading, DHCP and whatever, with lots of info for using Apache, mail servers, public ftp servers and probably other things too, with FORWARD and OUTPUT chains which as far as I can see are completely irrelevant to a network consisting of one computer with one user, and which all looked so much more comlicated than I need that I would never have bothered to set up a firewall myself (and learned something in the process) if kmyfirewall had worked (which is another story...)

So my questions are:

Is the incredibly simple firewall I set up with 3 commands safe to use? Or is there some reason why I should be afraid to leave my computer connected to the 'net? (assuming I hae a sensible password and don't allow ssh root login)

And shouldn't there be instructions on how to set up a very basic firewall like this in the gentoo docs somewhere, so newbies don't thiink that setting up a firewall is too complicated and give up?
_________________
Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life.

[spudicus]

Personally, I prefer to set the chains to block by default (and I'm more restrictive on what ICMP I allow but that's OT). Also, I allow my loopback device uninhibited access e.g.

[SuzieC]

correction, the 3rd line of code in my post should have been

iptables -A INPUT -i etho -m state --state NEW,INVALID -j DROP
(I missed out the "-i eth0")

so that loopback device has uninhibited access like spudicus says (since the default is ACCEPT).
_________________
Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life.

[dannycool]

It should protect you from everything coming from the internet, but not against malicious software you run. Also, there's been some ssh scanning going on for about a month, and people are suggesting to not run sshd on port 22 if you don't explicitly require it on port 22. A good alternative to 22 is 443, because most http proxies will allow CONNECT to port 443 since they aren't supposed to decrypt https traffic Also, you could consider only allowing your user account ssh access (AllowUsers directive in sshd_config) so that if some setup script decides to install extra accounts with a well-known default password, they can't be used to log in over ssh.

[pjp]

Moved from Documentation, Tips & Tricks.
_________________
Quis separabit? Quo animo?