On 10/13/2013 04:07 PM, Martin Vaeth wrote:
>>
>> I was just reiterating that there's not much benefit to save/restore if
>> you're doing things properly (pontification alert!).
>
> For a laptop of a scientist like me this is not true at all - it must
> often be connected in a different environment with different
> local nets etc.
Sure, but do the rules change? Is there a better ruleset that
accomplishes the same thing with fewer (or universal) rules? How many
rules do you have at the location requiring the most rules?
Most laptops should be OK with the following:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -m conntrack \
--ctstate INVALID -j DROP
ALLOWED_ICMP="0 3 4 8 11 12"
for icmp_type in $ALLOWED_ICMP; do
iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT
done
And creative setups should only require a few more rules. This all takes
under (1/10) of a second on my laptop.
> Also for other things (like portknocking using the recent module)
> you need rather complex rules which are better rewritten by a script,
> especially if the length of a portknocking sequence changes.
> Like passwords, these sequences should better not stay the same for
> too long...
Port knocking is cute, but imparts no extra security. A better, secure
way to achieve the same goal is with OpenVPN. And that doesn't require
you to play games with your firewall.
If you use your laptop at hotels, universities, and conferences, you'll
have a much happier time connecting to OpenVPN on tcp/443 (which nobody
can block) than you will trying to connect directly.
>> Race conditions don't really seem that serious to me.
>
> Maybe, but I am not sure:
> There might be situations where it might be possible to keep
> a port open even when the rule is rewritten later on; then
> you need an open system only once...
> So, I could imagine that with some clever hacks an attacker
> might keep ports open and then do another attack later on.
> I am not an experienced hacker to know such attacks, but I
> know that races can be very subtle and provide attack vectors
> nobody has ever thought off.
In this case, the absolute worst that could happen is that an attacker
gains access to every open port on your system. While this is bad, it's
not a clever new vulnerability: it's all of the old ones that were
already there.
If there are insecure daemons listening on public addresses, you should
fix them instead of worrying about race conditions on the firewall.
Otherwise, every machine on your LAN becomes an attack vector, and
that's a much greater risk especially if your coworkers/friends use
Windows. And if we're still talking about laptops, the "LAN" is usually
"anybody nearby."
