DROP not secure?

[Brad Chapman]

  Mr. Plunket,

Tom Plunket wrote:

> Brad Chapman writes:
> 
>>    AFAICT, dropping state NEW packets in your INPUT chain _is_ the best
>> way to protect your computer.
> 
> 
> Ok.  Someone else mentioned to me off-list that dropping packets
> however might lead to a nasty surprise...  Nasty in case I open
> something up, or???

   IDGT. Blocking state NEW connections in mangle PREROUTING or filter INPUT
_is_ a good way to seal your firewall and tighten it up. I suppose that 
person
was talking about what might happen if you didn't block state NEW.....

> 
> 
> I turned off INPUT drop for a while so that I could figure out
> how to get various services set up.  I now have a couple of
> services allowed to the outside world, I allow two TCP ports and
> one UDP port (I thought HTTP ran over UDP, but HTTP didn't work
> unless I activated TCP?)...  In the two days that I had no INPUT
> chain at all I logged 34000 "UDP scans on port 68" (from two
> different IP addresses inside my cable modem provider's subnet).
> I sent email to my ISP about it (and received 70M of data on eth0
> that didn't go to the internal network).  Don't understand why
> anyone would be providing bootpc support on the cable modem
> network, anyone know anything about use of this port?

   HTTP does use TCP. As for bootpc stuff, block it.

> 
> 
>> BTW, what do you mean by using SSH to provide services?
> 
> 
> I was hoping to figure out how I could get users to "log in"
> using SSH, and then essentially setting it up as a tunnel to FTP,
> CVS, HTTP, telnet...

   That's a good idea. However, you would need to load a lot of
proxies, and configure them all to the VPN tunnel running over SSH.
If you don't know how to set up a VPN using ssh, see the VPN-HOWTO.

> 
> 
> Maybe I should just set up stunnel and be done with it.  Seems
> that all of the "Linux hackers" that I know like to use SSH for
> all of their needs, and it sounds especially appealing because it
> sounds like I could open a persistent SSH tunnel from my work
> computer (behind a firewall) to this machine at my house, and
> then communicate in both directions (e.g. get files off of my
> work machine from home)...
> 
>> IDGT......you seem to have a paranoid ISP if they even prevent 
>> Web traffic!
> 
> 
> Heh maybe so.  They block at least HTTP and FTP.  Telnet is open
> though.  Don't know what else they might block...  Oh yeah I seem
> to remember that the CVS pserver port is open too.  Maybe they
> just want to keep people from running their amateur porn servers
> on the cable modem...  Most people probably wouldn't realize how
> easy it is to change the port that the servers run on (Windows
> users).  ;)

   Jeez. I would get a new ISP if you can't even browse the Web from your
connection! WAM....do they block state NEW connections to your system, or
from them? To them is acceptable; from them is paranoia.

> 
> 
>> As for NAT/MASQ configuration, you can either create a script 
>> which reloads your firewall with new SNAT target addresses when 
>> you detect an address change, or you can use the MASQUERADE 
>> target.
> 
> 
> Hmm- ok.  I haven't had many problems with it so far (and I am
> using the MASQUERADE target), but one day my ISP's provider lost
> their feed, and when it came back up I had to "restart" IPtables.
> Cleared all of the rules and then restored them.  Thought that it
> was odd, since our network connection didn't go down and the IP
> address didn't change, but I didn't want to bother anyone about
> it either.  ;)

      That's odd. IIRC, the MASQUERADE target uses some kernel API
to register itself in a list, so that when a device goes down, it
gets notified and can change itself accordingly. Guess it didn't
work, IMHO.

> 
> 
> -tom!
> 
Brad