On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4u...@gmail.com> wrote: > Marco wrote: >> Hi all, >> >> I set up my first firewall on my notebook (not running any services >> reachable from outside) using iptables. Since I am new to the topic, >> could you please verify if the output of 'iptables -L -v' is >> considered to be a safe firewall? Thanks! >> >> Chain INPUT (policy DROP 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- lo any anywhere >> anywhere >> 0 0 ACCEPT all -- eth0 any anywhere >> anywhere state RELATED,ESTABLISHED >> 0 0 REJECT tcp -- eth0 any anywhere >> anywhere reject-with tcp-reset >> 0 0 REJECT udp -- eth0 any anywhere >> anywhere reject-with icmp-port-unreachable >> 0 0 DROP udp -- eth0 any anywhere >> anywhere udp spt:bootps >> 0 0 LOG all -- eth0 any anywhere >> anywhere LOG level warning prefix `INPUT ' >> 1 79 ACCEPT all -- wlan0 any anywhere >> anywhere state RELATED,ESTABLISHED >> 0 0 REJECT tcp -- wlan0 any anywhere >> anywhere reject-with tcp-reset >> 0 0 REJECT udp -- wlan0 any anywhere >> anywhere reject-with icmp-port-unreachable >> 0 0 DROP udp -- wlan0 any anywhere >> anywhere udp spt:bootps >> 0 0 LOG all -- wlan0 any anywhere >> anywhere LOG level warning prefix `INPUT ' >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 LOG all -- any any anywhere >> anywhere LOG level warning prefix `FORWARD ' >> 0 0 LOG all -- any any anywhere >> anywhere LOG level warning prefix `FORWARD ' >> >> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- any lo anywhere >> anywhere >> 0 0 LOG all -- any eth0 anywhere >> anywhere LOG level warning prefix `OUTPUT ' >> 1 52 LOG all -- any wlan0 anywhere >> anywhere LOG level warning prefix `OUTPUT ' >> >> > It all depends on what you're trying to do. My internet facing boxes > have a default OUTPUT policy of DROP and I only allow certain traffic > off of the box (helps protect me from unauthorized services). Also, > you're dropping bootps (same ports as dhcp) on udp so I don't think you > can get a dhcp address like that. If you're running any services you > won't be able to talk to them (ssh). Turn off forwarding in the kernel > config (via /etc/sysctl.conf) as well.
I am dropping bootps to not have my log file flooding due to the DHCP server in my wireless router (as suggested in www.novell.com/coolsolutions/feature/18139.html). As it seems I still get a dynamic ip from it. So far, I am not running any services that have to be exposed to the outside. > It also took me a few runs to figure out the firewall config (due to the > rules and formatting). The last two output rules can be combined into > one. Have 1 log line at the bottom of your tables and that will take > care of that. Clean and short configs will help immensely when things > don't work. Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks... Talking about the 1 log line at the bottom you mean I should configure it to not specify an interface (eth0, wlan0)? Thanks!
