Search This Blog

Saturday, October 27, 2007

Re: Default Policy = DROP. Help-me

On 2007-10-27 Pascal Hambourg wrote:
> Ansgar -59cobalt- Wiechers a écrit :
>> On 2007-10-24 Yuri Rodrigues wrote:
>>> I usually browse the Internet, get ssh servers for my network and
>>> get my ssh server when I am in a remote location. But can not access
>>> servers ssh from my server firewall. Somebody help me with that
>>> firewall?
> [...]
>> Ouch. *Never* flush the chains before setting the default policies.
>> Also *never* enable IP forwarding before setting the default
>> policies.
>
> I guess you mean "before setting default policies to DROP".

Yes.

[...]
>> $iptables -t filter -P INPUT DROP
>> $iptables -t filter -P OUTPUT DROP
>> $iptables -t filter -P FORWARD DROP
>>
>> $iptables -t nat -P PREROUTING ACCEPT
>> $iptables -t nat -P POSTROUTING ACCEPT
>>
>> $iptables -t mangle -P PREROUTING ACCEPT
>> $iptables -t mangle -P POSTROUTING ACCEPT
>
> What about the other chains in the nat and mangle tables ?

I was being lazy here.

[...]
>> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[...]
> Don't you forget to accept RELATED,ESTABLISHED traffic in OUTPUT and
> FORWARD and outgoing traffic on the loopback interface ?

Yes, as I already mentioned in a later reply.

[...]
>>> #### Protecao contra ping flood ####
>>> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>>> echo "Protecao contra ping flood ......................... [ Ok ]"
>>
>> A limit rule does not protect against ping floods. "ping flood" means
>> that the attacker is sending so much echo-requrests that they consume
>> your entire bandwidth. There's exactly nothing you can do on your
>> firewall to protect you from that.
>
> Except when you're on a link with asymmetric up/down bandwith such as
> ADSL. If you're on a 128/512 kbit/s link, a 128 kbit/s flood ping is
> not enough to fill your dowstream but enough to fill your upstream. By
> limiting the incoming echo request (and *not any* ICMP type) rate, you
> can limit the outgoing echo reply rate and avoid consume all your
> upstream bandwidth.

A valid point, though probably somewhat theoretical. How often does a
situation where a flood doesn't consume the entire downstream bandwidth
really occur? Please note that I'm not objecting to rate-limiting
incoming ICMP packets (on the contrary). I'm merely saying that unlike
limiting incoming syn packets it won't protect from floods. At least in
most cases.

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: