Search This Blog

Thursday, May 07, 2009

Re: firewall critique

On 2009-05-06 Zachary Uram wrote:
> Running Debian lenny. I run a web server and try to keep all other
> ports closed. Would like to get some feedback on my firewall. If you
> have any suggestions for rules to add or other changes please let me
> know. Also what are some other steps I can take next to further
> increase my security?
>
> iptables -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP ;
> iptables -A INPUT -p tcp -m conntrack --ctstate NEW -i eth0 --dport 80
> -j ACCEPT ;
> iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -j DROP ;
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

If the server is only a web server and you're only worried about inbound
connections, then I'd suggest to just keep the other ports closed (i.e.
don't have any services listening on them) and drop iptables altogether.
Using a packet filter to block inbound traffic is futile if your ports
are already closed. By not using a packet filter you also avoid the risk
of vulnerabilities in the packet filter's code being exploited.

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: