On Wed, 25 Apr 2001, Karl J. Runge wrote:
> I've been trying to come up with a short and simple to understand
> "educational" ipchains script that people would understand readily and
> nevertheless it would defend their home machine(s) pretty well (at least
> against these script-kiddie attacks).
I think this is a good idea.
However, I also think it is worth stressing that a firewall alone is an
incomplete defense. Many times, a user might want to have some service
running -- BIND's named, to pick a popular example -- which would have to be
let through the firewall, and which is also a popular target for attacks.
You need to keep your patches current, monitor your system, and apply general
knowledge to every situation to keep things secure.
A couple of comments on your sample script...
> 1 echo 1 > /proc/sys/net/ipv4/ip_always_defrag
Datagrams destined for the current host are always reassembled, and thus
always processed by the firewall code. The above statement has no affect
unless the current host is being used as a router -- that is, unless IP
forwarding is turned on. This is still a good rule to have, though, in case
forwarding *is* turned on.
> 3 ipchains -i ppp0 -A input -p UDP -l -d 0.0.0.0/0 0:1023 -j DENY
> 5 ipchains -i ppp0 -A input -p UDP -s 24.128.1.81 53 -j ACCEPT
> 7 ipchains -i ppp0 -A input -p UDP -l -j DENY
Why not just:
ipchains -i ppp0 -A input -p UDP -s $NS 53 --dport ! 0:1023 -j ACCEPT
ipchains -i ppp0 -A input -p UDP -l -j DENY
> Newer Linux boxes seem to have RPC services running on ports higher than
> 1023. Appears one needs to run "rpcinfo -p" to find the UDP ones > 1023.
Actually, this is "always" the case. RPC services supposedly bind to
arbitrary free ports; that is why you need the portmapper in the first place.
The fact that some implementations of some RPC service daemons use a fixed
port number cannot be trusted.
There is very little you can do to defend against a UDP packet spoofed to
look like it is coming from your name server. On 2.2, anyway.
> If you want to set your system clocks by NTP, lines similar to 5, 6
> can be added for time servers.
Beware! There are known nasty exploits in popular NTP service daemons.
One must observe the fourth commandment [1] of network security: "Keep thy
patches current."
Footnotes
---------
[1] No, I don't know what commandments one through three are. I just made
that up on the spot. ;-)
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
