The LEAF version I'm using is a Dachstein floppy v1.0.2.
In an effort to make my firewall more secure, and to learn more, I have been
scouring the Internet for
ideas. As a result, I have a few questions regarding the rules set-up in
ipfilter.conf.
1) Instead of accepting all TCP packets to the high ports per
# Accept all incoming TCP packets to the External interface on
non-priveleged
# ports
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
wouldn't it be better to only accept TCP packets that don't have the SYN bit
set by using the ! -y option?
As in
$IPCH -A input -j ACCEPT ! -y -p tcp -s 0/0 -d $EX_IP 1024:65535 -i
$EXTERN_IF
2) In the two statements, from ipfilter.conf,
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
and
$IPCH -A input -j ACCEPT -p udp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
what is the definition of $EX_IP? I have searched both network.conf and
ipfilter.conf and have not found
any definition. It would seem that $EX_IP should be $EXTERN_IP. Then only
packets intended for the
firewall (and the LAN) would be accepted. As the statement is currently
written in ipfliter.conf, it
translates to the follwing rule
ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * ->
1024:65535
ACCEPT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * ->
1024:65535
from which the firewall accepts all packets. Instead of
ACCEPT tcp ------ eth0 0.0.0.0/0 66.235.19.223 * ->
1024:65535
ACCEPT udp ------ eth0 0.0.0.0/0 66.235.19.223 * ->
1024:65535
which would only allow tcp/udp packets bound for 66.235.19.223 (the firewall
external ip address).
3) If you implement the two changes above, you could just change the last
catch all rule for the input to
REJECT (or DENY) as those packets you wanted were accepted above.
4) Is it better to use Reject instead of Deny? According to one web site,
http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject.html,
Reject will send an ICMP error, per
RFC1122, which is better as it will not slow down applications of legitimate
users. For hackers it really
doesn't matter if it is Deny (Drop) or Reject. Are there any opposing
opinions?
Thank you all for your time and I hope I made some sense.
John Wittenberg
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET
comprehensive development tool, built to increase your
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
- Re: [leaf-user] ipchains firewall rules John Wittenberg
- Re: [leaf-user] ipchains firewall rules Charles Steinkuehler
