Good question. No real easy answer to it. Lot of things involved. I would definetly say, "Do NOT allow just any traffic to go out!" Specify which machines will be allowed to host a web server. Block everything going out that you do not specifically let out. It would also make people use a proxy server to surf the web, not just go out.
Chris Keeper of the digital flame. -----Original Message----- From: Ferry van Steen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 6:19 AM To: [EMAIL PROTECTED] Subject: How to get through iptables/NAT, reality and risk calculation Hey there, first of all, please don't get me wrong. I don't want to know how to crack a firewall, I just don't wanna think I'm secure whilst I'm not. The case is this, at several locations I've set up a linux box for the internet traffic. These boxes are configured in such a way that they don't have any open ports (or atleast, not on the internet side). This is accomplished by simply allowing all traffic from the local LAN but only accepting traffic from the internet part of an existing connection (with the iptables -m state --state ESTABLISHED,RELATED). Now, to me, as starting security engineer (security-guru-wannabe or whatever the phrase is), this looks uncrackable to me (unless people download and install trojans that connect to IRC n stuff, which is allowed (atleast, according to traffic rules :-))). What should I be aware of? Could people for instance get data into the network by hiking along on a connection somebody set up with a webserver (or any other service for that matter)? The people on these locations are allowed to do whatever they want, they can IRC, MSN, ICQ, HTTP, HTTPS, etc... Would it be possible that the linux box gets hacked due to a TCP/IP stack bug? I'm just sucking things out of my thumb here so I hope they make sense. Every knowledgeable security engineer I ever spoke say nothing is uncrackable, so I'm just trying to figure out the ways they still can get it so I can do things to prevent those and/or atleast analyse the risk and have a knowledge of the possibilities so I won't be utterly suprised somewhere in the future without a clue as to where to look and how to trace it back. I'm really sorry if this has been discussed before... The site is really slow at the moment. In any case all info is welcomed (URLs, books, references, user stories, experiences... whatever). Btw.. I'm subscribed to the list on another email addy than this one. I am subscribed tho'. Replying to either this email ([EMAIL PROTECTED]) or the list would be fine. Kind regards and TIA, Ferry van Steen
