On Mon, Mar 06, 2000 at 12:51:43PM +0100, Gustav Schaffter wrote:
| Setup the ipchains firewall to DENY everything. Then ACCEPT only
| whatever traffic you feel should go through the wall.
This is indeed the core approach to firewalling.
| (Lot's of trial
| and error there, to get the legitimate stuff through.)
Actually, this should be fairly easy if your desires are modest.
I let in ssh and DNS and NTP and ICMP traffic and incoming TCP
packets without the SYN bit (ie. packets in established connections).
And that's _all_.
| Also, make sure
| that you log everything that you DENY. That way you gain two things. 1)
| You can see what legitimate traffic doesn't go through the wall and you
| can easily understand what to change in your ipchains to let it through.
| 2) You can know what illegitimate traffic (if any) was DENY'ed and you
| may take appropriate action.
Also log incoming accepted SYN packets; in some ways this can be more
important because it shows you what traffic you're accepting - there
should be nothing unexpected there. Logging DENYs is good for
debugging, but paying attention to what you let in is more important
from the security point of view.
I would also suggest you REJECT packets instead of DENYing them. This
is MUCH more polite to people (not everyone is an attacker). A REJECT
sends a packet back saying "connection refused". It permits the
incoming conenction to know immediately that there's nothing there for
it; a DENY just drops the packet on the floor and TCP will just send
another SYN because it's _designed_ for networks which drop occasional
packets.o
Unless you get flooded by something, sending rejections costs you nothing and
is polite to others.
--
Cameron Simpson, DoD#743 [EMAIL PROTECTED] http://www.zip.com.au/~cs/
Santa Claus (San-ta clors): A bizarre mythological character described as
being obese and having an unnatural interest in little boys and girls.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
