FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-10-2008, 06:32 PM
"Sam Kuper"
 
Default About my Firewall Settings - I would like an opinion

2008/11/10 Manuel Gomez <mgdpz1@gmail.com>

Hi, i would like to read opinions about my firewall settings:

I am using Iptables with Shorewall (frontend) and my configuration is:

- Default Policy: REJECT all connections.

- Rules: Allow DNS (my DNS servers), allow http and https connections for servers: www.google.es, ...

So, nobody except these servers can connect with me (inbound and outbound).

This type of configuration is secure? *How could they attack me?
By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 06:32 PM
"Sam Kuper"
 
Default About my Firewall Settings - I would like an opinion

2008/11/10 Manuel Gomez <mgdpz1@gmail.com>

Hi, i would like to read opinions about my firewall settings:

I am using Iptables with Shorewall (frontend) and my configuration is:

- Default Policy: REJECT all connections.

- Rules: Allow DNS (my DNS servers), allow http and https connections for servers: www.google.es, ...

So, nobody except these servers can connect with me (inbound and outbound).

This type of configuration is secure? *How could they attack me?
By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*
 
Old 11-10-2008, 06:43 PM
"Sam Kuper"
 
Default About my Firewall Settings - I would like an opinion

2008/11/10 Sam Kuper <sam.kuper@uclmail.net>

By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*

That said, if SSH traffic is blocked, an OpenSSH vuln. might not be significant. If you're allowing and inbound traffic, though, any unpatched flaws in the app servicing that inbound traffic could expose your system to attack.

Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS attacks.

Consider using a default (LOG and) DROP policy instead. Michael Rash's site (www.cipherdyne.org) has some good resources for learning about this and implementing it.
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 06:43 PM
"Sam Kuper"
 
Default About my Firewall Settings - I would like an opinion

2008/11/10 Sam Kuper <sam.kuper@uclmail.net>

By using REJECT instead of DROP, you have no stealth. This means you can be port-scanned to look for weaknesses, e.g. unpatched OpenSSH vulnerabilities, etc.*

That said, if SSH traffic is blocked, an OpenSSH vuln. might not be significant. If you're allowing and inbound traffic, though, any unpatched flaws in the app servicing that inbound traffic could expose your system to attack.

Also, by REJECTing rather than DROPping, you might be more vulnerable to DoS attacks.

Consider using a default (LOG and) DROP policy instead. Michael Rash's site (www.cipherdyne.org) has some good resources for learning about this and implementing it.
 
Old 11-10-2008, 07:35 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?

Thank you very much.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 07:35 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

Ok, i have set default policy in DROP. What more could I do?

Thank you very much.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-10-2008, 07:37 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
Ok, i have set default policy in DROP. What more could I do?

Thank you very much.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 07:37 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

Ok, i have set default policy in DROP. What more could I do?

Thank you very much.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 11-10-2008, 07:41 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

> 2008/11/10 Sam Kuper <sam.kuper@uclmail.net
> <mailto:sam.kuper@uclmail.net>>
>
> By using REJECT instead of DROP, you have no stealth. This means
> you can be port-scanned to look for weaknesses, e.g. unpatched
> OpenSSH vulnerabilities, etc.
>
>
> That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
> significant. If you're allowing and inbound traffic, though, any
> unpatched flaws in the app servicing that inbound traffic could expose
> your system to attack.
>
> Also, by REJECTing rather than DROPping, you might be more vulnerable
> to DoS attacks.
>
> Consider using a default (LOG and) DROP policy instead. Michael Rash's
> site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
> resources for learning about this and implementing it.
I have set the default policy in DROP.

What more could i do?

Thank you very much, i appreciate your help.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-10-2008, 07:41 PM
Manuel Gomez
 
Default About my Firewall Settings - I would like an opinion

Sam Kuper escribió:

2008/11/10 Sam Kuper <sam.kuper@uclmail.net
<mailto:sam.kuper@uclmail.net>>


By using REJECT instead of DROP, you have no stealth. This means
you can be port-scanned to look for weaknesses, e.g. unpatched
OpenSSH vulnerabilities, etc.



That said, if SSH traffic is blocked, an OpenSSH vuln. might not be
significant. If you're allowing and inbound traffic, though, any
unpatched flaws in the app servicing that inbound traffic could expose
your system to attack.


Also, by REJECTing rather than DROPping, you might be more vulnerable
to DoS attacks.


Consider using a default (LOG and) DROP policy instead. Michael Rash's
site (www.cipherdyne.org <http://www.cipherdyne.org>) has some good
resources for learning about this and implementing it.

I have set the default policy in DROP.

What more could i do?

Thank you very much, i appreciate your help.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 03:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org