On Mon, 2009-11-02 at 16:28 +1100, Daniel Bush wrote: > I was following Rick's recent post about penetration testing with some > interest. I'm looking at complying with anz e-gate for e-commerce > transactions. ANZ has this declaration form for internet sites that you > have to sign. One of the tick boxes says "Do you operate a firewall that is > regularly updated?" > > I have an iptables firewall which basically blocks all ip6 and all ip4 > except for a couple of ports I expose to the internet. I don't see why I > need to update it "regularly".
Two primary reasons: - iptables is not bug free. Few and far between, but not empty-of-bugs. - ip4 and ip6 are not 'finished'. Every now and then a new RFC or even std is released, and you need to update your firewall and routing rules accordingly. (e.g. the nonroutable address space changes over time, so you need to update your rules accordingly). Even if those two points didn't matter, if you admin the firewall using ssh, and sshd has a bug permitting remote compromise, you'd be remiss not to update that. So, its an important checkbox, and if you're not maintaining your firewall, don't tick it! (Worse still, if you think deny-all + a couple of permits == correctly setup firewall - you need about 15 rules I think, for a _minimally_ conformant firewall [that is, not in violation of parts of the IP stack]). Keeping on top of the whole mess is what is implied by 'regularly updated', not turning on some vendor software-sync button and forgetting about it. -Rob
signature.asc
Description: This is a digitally signed message part
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
