Iplementing a firewall after-the-fact
Troels Arvin
troels at arvin.dk
Thu Dec 2 00:09:37 UTC 2004
On Wed, 01 Dec 2004 15:38:34 -0800, Eric Wagar wrote:
> Is there a safe way to implement a firewall (ipchains/iptables) after
> the fact? After the fact being after I have already deployed the system
> at a remote site?
Remote playing with packet filters is tricky, because you - obviously -
face the risk of shutting yourself out. I have tried that situation
myself, and I have seen others trapped in it.
> I only have ports 21, 22, 25, 80, and 8080 needing to be public, with 53
> needing to be open to the subnet. Everything else needs to be turned
> "off" or filtered.
I believe it's better and safer to simply clean+tighten up the system:
1. Uninstall unneeded software.
2. Close down unneeded network daemons which - for some
reason - cannot be uninstalled.
3. Upgrade remaining software if security
bugfixes have been released.
4. Use a command like
netstat -naep | grep -v '^unix' | egrep '(LISTEN|udp)'
to identify what might still be running+listening
on the network.
5. Limit remaining daemons to only listen on the "lo"
(and possibly other) interface(s), where possible.
6. Look at what users/privileges the remaining daemons are
running as/with and see if it's possible and relevant
to tighten up.
7. Consider running (some of the) remaining daemons in
a chroot'ed environment.
By now, ipchains/iptables could very well be unneeded (and thus candidates
for deletion, per rule 1), because all that's listening really should be
available, so packet filtering is waste of clock cycles and just another
error-potential.
When I say "better and safer", it's because such a methology leads to
simpler/leaner setups, less resources being used by unneeded software, and
less software to keep updated.
In the case of port 53 where you want it open to a specific subnet: BIND
can easily be configured for such needs, through its "listen-on" and/or
"listen-on-v6" configuration options.
--
Greetings from Troels Arvin, Copenhagen, Denmark
More information about the fedora-legacy-list
mailing list