On Fri, Apr 24, 2009 at 5:00 PM, Chris Frederick <cdf...@cdf123.net> wrote: > Marco wrote:
[...] > Your firewall looks good, but I would change a few things. > > First off, change your FORWARD chain to DROP. Unless you are doing > routing on your laptop, there's no reason to have it. My thought here was to be able to perform some network maintanance task using wireshark. I ave forwarding disabled normally and I could just 'echo 1 > /proc/sys/net/ipv4/ip_forward' to have it enabled. Is there anything unsafe about this setup? > I would also get rid of the REJECT targets. It's better to DROP > instead. If someone is scanning the network, and you start sending icmp > rejections back, they will know you are there and may try other > techniques to break through your defenses, but if you DROP and send > nothing back, it will be much harder for them to see you at all. I was following http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml in section 'Handling rejection' of the article. I guess this is kind of a philosophical question here... > I would also re-write your INPUT chain to be a bit less verbose. > Something like this: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > target prot opt in out source destination > ACCEPT all -- lo any anywhere anywhere > ACCEPT all -- any any anywhere anywhere state > RELATED,ESTABLISHED > LOG all -- any any anywhere anywhere LOG level warning > prefix `INPUT ' So basically not distinguishing between the external interfaces (eth0, wlan0)? > Everything else looks good from a security standpoint. From a > performance standpoint, you might want to add a line to the beginning of > your output chain like this: > > Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) > target prot opt in out source destination > ACCEPT all -- any lo anywhere anywhere > ACCEPT all -- any any anywhere anywhere state > RELATED,ESTABLISHED > LOG all -- any any anywhere anywhere LOG level warning > prefix `OUTPUT ' > > This will log only NEW packets. Otherwise you could end up with a lot > of log output. That makes sense! > After you run this for a while, go back and look through your logs and > see if you have enough data there to change your OUTPUT chain to DROP, > and only allow packets through to ports you actually use. That's only > if you're really paranoid though. Kind of paranoid, yes ;-) [...] Thanks for the tips! -- Regards, Marco
