Gentoo firewall from the security docs

UberLord

I've decided to use the firewall script supplied in the Gentoo security docs as it seems to do the job. I've made a few alterations to it for ease of use - basically this is for my laptop for use at work and home.

I've allowed by default anything to go out so I don't have to mess around with anything too much. This allows my various net proggies to work.

As I'm not allowing anything in except ssh from specific IP's this should be safe - yes? Also, the laptop is behind a decent firewall at work and a crappy firewall on my ADSL router at home, so it shouldn't be too bad.

Comments?

think4urs11 · Posted: Thu Oct 09, 2003 2:28 pm Post subject:

So why a firewall at all? :twisted:

Honestly, at work it is the job of the firewall admins to secure the network so you should not need one on your laptop.
At home (if your ADSL router does NAT) it is not needed too, it's enough to configure you SSH correctly.
The only thing you need is to restrict the IP which are allowed to connect to your SSH - if your router can't do this (most probably not).

On the other hand... only the paranoid survive

T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

ronmon · Posted: Thu Oct 09, 2003 2:51 pm Post subject:

The firewall at work might help prevent attack from external sources, but probably not from other users of the company intranet. As long as your firewall rules don't prevent you from accessing what you need, it's a good idea and certainly can't hurt.

NAT is not a security measure, but through obfuscation it makes it a bit more complicated for a potential cracker to find you. Again, the local firewall is your last line of defense and can only help.

Through the millennia it has been proven that whether protecting a city, an airbase, an embassy or a computer, a layered defense is the most effective plan.

UberLord · Posted: Thu Oct 09, 2003 3:03 pm Post subject:

think4urs11 · Posted: Thu Oct 09, 2003 3:21 pm Post subject:

we are on line - parnoia is why i'm still alive :twisted:

of course you are right with layered security, but...
it makes no real difference (asides the restricions for some IP) between having only SSH or iptables+SSH with a ssh-rule for iptables
The packets will come to sshd in both cases, right?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

UberLord · Posted: Thu Oct 09, 2003 3:25 pm Post subject:

On another note, would the same configuration be relatively safe for a Server with a direct internet feed also doing NAT for local clients?

My home network runs a whole load of games over various ports and stuff.

I like the smoothwall config actually. I administer the one at work :twisted:

How would I go about allowing only ports > 1024 through by default and then specifying others? Like http/https etc etc.

Thanks

think4urs11 · Posted: Thu Oct 09, 2003 3:38 pm Post subject:

you would always have the risk that your server is open to the internet

this may be due to misconfiguration, lazyness, various errors, server overload, ...
in general it is a 100%-NONO to combine server+firewall on one machine!

Its a matter of costs of course so many do it that (cheaper/more unsecure) way. And to be honest... the setup over here will be the same as soon as the hardware for the new 'firewall_nat_router-vpn_gateway-wlan_ap-file/print_server'-box is here.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself