Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu User (http://www.linux-archive.org/ubuntu-user/)
-   -   About my Firewall Settings - I would like an opinion (http://www.linux-archive.org/ubuntu-user/191101-about-my-firewall-settings-i-would-like-opinion.html)

"Sam Kuper" 11-10-2008 06:32 PM

About my Firewall Settings - I would like an opinion
 
2008/11/10 Manuel Gomez <mgdpz1@gmail.com>

Hi, i would like to read opinions about my firewall settings:

I am using Iptables with Shorewall (frontend) and my configuration is:

- Default Policy: REJECT all connections.

- Rules: Allow DNS (my DNS servers), allow http and https connections for servers: www.google.es, ...

So, nobody except these servers can connect with me (inbound and outbound).

This type of configuration is secure? *How could they attack me?
By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

"Sam Kuper" 11-10-2008 06:32 PM

About my Firewall Settings - I would like an opinion
 
2008/11/10 Manuel Gomez <mgdpz1@gmail.com>

Hi, i would like to read opinions about my firewall settings:

I am using Iptables with Shorewall (frontend) and my configuration is:

- Default Policy: REJECT all connections.

- Rules: Allow DNS (my DNS servers), allow http and https connections for servers: www.google.es, ...

So, nobody except these servers can connect with me (inbound and outbound).

This type of configuration is secure? *How could they attack me?
By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*

"Sam Kuper" 11-10-2008 06:43 PM

About my Firewall Settings - I would like an opinion
 
2008/11/10 Sam Kuper <sam.kuper@uclmail.net>

By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*

That said, if SSH traffic is blocked, an OpenSSH vuln. might not be significant. If you're allowing and inbound traffic, though, any unpatched flaws in the app servicing that inbound traffic could expose your system to attack.

Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS attacks.

Consider using a default (LOG and) DROP policy instead. Michael Rash's site (www.cipherdyne.org) has some good resources for learning about this and implementing it.
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

"Sam Kuper" 11-10-2008 06:43 PM

About my Firewall Settings - I would like an opinion
 
2008/11/10 Sam Kuper <sam.kuper@uclmail.net>

By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*

That said, if SSH traffic is blocked, an OpenSSH vuln. might not be significant. If you're allowing and inbound traffic, though, any unpatched flaws in the app servicing that inbound traffic could expose your system to attack.

Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS attacks.

Consider using a default (LOG and) DROP policy instead. Michael Rash's site (www.cipherdyne.org) has some good resources for learning about this and implementing it.

Manuel Gomez 11-10-2008 07:35 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?

Thank you very much.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Manuel Gomez 11-10-2008 07:35 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

Ok, i have set default policy in DROP. What more could I do?

Thank you very much.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Manuel Gomez 11-10-2008 07:37 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?

Thank you very much.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Manuel Gomez 11-10-2008 07:37 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

Ok, i have set default policy in DROP. What more could I do?

Thank you very much.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Manuel Gomez 11-10-2008 07:41 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
I have set the default policy in DROP.

What more could i do?

Thank you very much, i appreciate your help.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Manuel Gomez 11-10-2008 07:41 PM

About my Firewall Settings - I would like an opinion
 
Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

I have set the default policy in DROP.

What more could i do?

Thank you very much, i appreciate your help.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 09:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.