DROP not secure?
Fri, 03 Aug 2001 08:31:57 -0400
Tom Plunket wrote:
> Brad Chapman writes:
>> AFAICT, dropping state NEW packets in your INPUT chain _is_ the best
>> way to protect your computer.
> Ok. Someone else mentioned to me off-list that dropping packets
> however might lead to a nasty surprise... Nasty in case I open
> something up, or???
IDGT. Blocking state NEW connections in mangle PREROUTING or filter INPUT
_is_ a good way to seal your firewall and tighten it up. I suppose that
was talking about what might happen if you didn't block state NEW.....
> I turned off INPUT drop for a while so that I could figure out
> how to get various services set up. I now have a couple of
> services allowed to the outside world, I allow two TCP ports and
> one UDP port (I thought HTTP ran over UDP, but HTTP didn't work
> unless I activated TCP?)... In the two days that I had no INPUT
> chain at all I logged 34000 "UDP scans on port 68" (from two
> different IP addresses inside my cable modem provider's subnet).
> I sent email to my ISP about it (and received 70M of data on eth0
> that didn't go to the internal network). Don't understand why
> anyone would be providing bootpc support on the cable modem
> network, anyone know anything about use of this port?
HTTP does use TCP. As for bootpc stuff, block it.
>> BTW, what do you mean by using SSH to provide services?
> I was hoping to figure out how I could get users to "log in"
> using SSH, and then essentially setting it up as a tunnel to FTP,
> CVS, HTTP, telnet...
That's a good idea. However, you would need to load a lot of
proxies, and configure them all to the VPN tunnel running over SSH.
If you don't know how to set up a VPN using ssh, see the VPN-HOWTO.
> Maybe I should just set up stunnel and be done with it. Seems
> that all of the "Linux hackers" that I know like to use SSH for
> all of their needs, and it sounds especially appealing because it
> sounds like I could open a persistent SSH tunnel from my work
> computer (behind a firewall) to this machine at my house, and
> then communicate in both directions (e.g. get files off of my
> work machine from home)...
>> IDGT......you seem to have a paranoid ISP if they even prevent
>> Web traffic!
> Heh maybe so. They block at least HTTP and FTP. Telnet is open
> though. Don't know what else they might block... Oh yeah I seem
> to remember that the CVS pserver port is open too. Maybe they
> just want to keep people from running their amateur porn servers
> on the cable modem... Most people probably wouldn't realize how
> easy it is to change the port that the servers run on (Windows
> users). ;)
Jeez. I would get a new ISP if you can't even browse the Web from your
connection! WAM....do they block state NEW connections to your system, or
from them? To them is acceptable; from them is paranoia.
>> As for NAT/MASQ configuration, you can either create a script
>> which reloads your firewall with new SNAT target addresses when
>> you detect an address change, or you can use the MASQUERADE
> Hmm- ok. I haven't had many problems with it so far (and I am
> using the MASQUERADE target), but one day my ISP's provider lost
> their feed, and when it came back up I had to "restart" IPtables.
> Cleared all of the rules and then restored them. Thought that it
> was odd, since our network connection didn't go down and the IP
> address didn't change, but I didn't want to bother anyone about
> it either. ;)
That's odd. IIRC, the MASQUERADE target uses some kernel API
to register itself in a list, so that when a device goes down, it
gets notified and can change itself accordingly. Guess it didn't