Re: [gentoo-user] Is this firewall safe? - gentoo-user

From:	Eric Martin <freak4uxxx@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Is this firewall safe?
Date:	Mon, 27 Apr 2009 19:35:26
Message-Id:	`49F608FA.7030007@gmail.com`
In Reply to:	Re: [gentoo-user] Is this firewall safe? by Marco

1

Marco wrote:

2

> On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@×××××.com> wrote:

3

>

4

>> Marco wrote:

5

>>

6

>>> Hi all,

7

>>>

8

>>> I set up my first firewall on my notebook (not running any services

9

>>> reachable from outside) using iptables. Since I am new to the topic,

10

>>> could you please verify if the output of 'iptables -L -v' is

11

>>> considered to be a safe firewall? Thanks!

12

>>>

13

>>> Chain INPUT (policy DROP 0 packets, 0 bytes)

14

>>>  pkts bytes target     prot opt in     out     source

15

>>> destination

16

>>>     0     0 ACCEPT     all  --  lo     any     anywhere

17

>>> anywhere

18

>>>     0     0 ACCEPT     all  --  eth0   any     anywhere

19

>>> anywhere            state RELATED,ESTABLISHED

20

>>>     0     0 REJECT     tcp  --  eth0   any     anywhere

21

>>> anywhere            reject-with tcp-reset

22

>>>     0     0 REJECT     udp  --  eth0   any     anywhere

23

>>> anywhere            reject-with icmp-port-unreachable

24

>>>     0     0 DROP       udp  --  eth0   any     anywhere

25

>>> anywhere            udp spt:bootps

26

>>>     0     0 LOG        all  --  eth0   any     anywhere

27

>>> anywhere            LOG level warning prefix `INPUT   '

28

>>>     1    79 ACCEPT     all  --  wlan0  any     anywhere

29

>>> anywhere            state RELATED,ESTABLISHED

30

>>>     0     0 REJECT     tcp  --  wlan0  any     anywhere

31

>>> anywhere            reject-with tcp-reset

32

>>>     0     0 REJECT     udp  --  wlan0  any     anywhere

33

>>> anywhere            reject-with icmp-port-unreachable

34

>>>     0     0 DROP       udp  --  wlan0  any     anywhere

35

>>> anywhere            udp spt:bootps

36

>>>     0     0 LOG        all  --  wlan0  any     anywhere

37

>>> anywhere            LOG level warning prefix `INPUT   '

38

>>>

39

>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

40

>>>  pkts bytes target     prot opt in     out     source

41

>>> destination

42

>>>     0     0 LOG        all  --  any    any     anywhere

43

>>> anywhere            LOG level warning prefix `FORWARD '

44

>>>     0     0 LOG        all  --  any    any     anywhere

45

>>> anywhere            LOG level warning prefix `FORWARD '

46

>>>

47

>>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)

48

>>>  pkts bytes target     prot opt in     out     source

49

>>> destination

50

>>>     0     0 ACCEPT     all  --  any    lo      anywhere

51

>>> anywhere

52

>>>     0     0 LOG        all  --  any    eth0    anywhere

53

>>> anywhere            LOG level warning prefix `OUTPUT  '

54

>>>     1    52 LOG        all  --  any    wlan0   anywhere

55

>>> anywhere            LOG level warning prefix `OUTPUT  '

56

>>>

57

>>>

58

>

59

<snip>

60

> Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks...

61

>

62

> Talking about the 1 log line at the bottom you mean I should configure

63

> it to not specify an interface (eth0, wlan0)?

64

>

65

> Thanks!

66

>

67

>

68

Yeah, not specifying an interface for the log rule to apply to will make

69

it catch all interfaces (including lo but all traffic has already been

70

approved ahead of time so it won't catch).

1	Marco wrote:
2	> On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@×××××.com> wrote:
3	>
4	>> Marco wrote:
5	>>
6	>>> Hi all,
7	>>>
8	>>> I set up my first firewall on my notebook (not running any services
9	>>> reachable from outside) using iptables. Since I am new to the topic,
10	>>> could you please verify if the output of 'iptables -L -v' is
11	>>> considered to be a safe firewall? Thanks!
12	>>>
13	>>> Chain INPUT (policy DROP 0 packets, 0 bytes)
14	>>> pkts bytes target prot opt in out source
15	>>> destination
16	>>> 0 0 ACCEPT all -- lo any anywhere
17	>>> anywhere
18	>>> 0 0 ACCEPT all -- eth0 any anywhere
19	>>> anywhere state RELATED,ESTABLISHED
20	>>> 0 0 REJECT tcp -- eth0 any anywhere
21	>>> anywhere reject-with tcp-reset
22	>>> 0 0 REJECT udp -- eth0 any anywhere
23	>>> anywhere reject-with icmp-port-unreachable
24	>>> 0 0 DROP udp -- eth0 any anywhere
25	>>> anywhere udp spt:bootps
26	>>> 0 0 LOG all -- eth0 any anywhere
27	>>> anywhere LOG level warning prefix `INPUT '
28	>>> 1 79 ACCEPT all -- wlan0 any anywhere
29	>>> anywhere state RELATED,ESTABLISHED
30	>>> 0 0 REJECT tcp -- wlan0 any anywhere
31	>>> anywhere reject-with tcp-reset
32	>>> 0 0 REJECT udp -- wlan0 any anywhere
33	>>> anywhere reject-with icmp-port-unreachable
34	>>> 0 0 DROP udp -- wlan0 any anywhere
35	>>> anywhere udp spt:bootps
36	>>> 0 0 LOG all -- wlan0 any anywhere
37	>>> anywhere LOG level warning prefix `INPUT '
38	>>>
39	>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
40	>>> pkts bytes target prot opt in out source
41	>>> destination
42	>>> 0 0 LOG all -- any any anywhere
43	>>> anywhere LOG level warning prefix `FORWARD '
44	>>> 0 0 LOG all -- any any anywhere
45	>>> anywhere LOG level warning prefix `FORWARD '
46	>>>
47	>>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes)
48	>>> pkts bytes target prot opt in out source
49	>>> destination
50	>>> 0 0 ACCEPT all -- any lo anywhere
51	>>> anywhere
52	>>> 0 0 LOG all -- any eth0 anywhere
53	>>> anywhere LOG level warning prefix `OUTPUT '
54	>>> 1 52 LOG all -- any wlan0 anywhere
55	>>> anywhere LOG level warning prefix `OUTPUT '
56	>>>
57	>>>
58	>
59	<snip>
60	> Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks...
61	>
62	> Talking about the 1 log line at the bottom you mean I should configure
63	> it to not specify an interface (eth0, wlan0)?
64	>
65	> Thanks!
66	>
67	>
68	Yeah, not specifying an interface for the log rule to apply to will make
69	it catch all interfaces (including lo but all traffic has already been
70	approved ahead of time so it won't catch).

Gentoo Archives: gentoo-user