Iplementing a firewall after-the-fact

[Troels Arvin]

On Wed, 01 Dec 2004 15:38:34 -0800, Eric Wagar wrote:

> Is there a safe way to implement a firewall (ipchains/iptables) after
> the fact?  After the fact being after I have already deployed the system
> at a remote site?

Remote playing with packet filters is tricky, because you - obviously -
face the risk of shutting yourself out. I have tried that situation
myself, and I have seen others trapped in it.

> I only have ports 21, 22, 25, 80, and 8080 needing to be public, with 53
> needing to be open to the subnet.  Everything else needs to be turned
> "off" or filtered.

I believe it's better and safer to simply clean+tighten up the system:

1. Uninstall unneeded software.
2. Close down unneeded network daemons which - for some
   reason - cannot be uninstalled.
3. Upgrade remaining software if security
   bugfixes have been released.
4. Use a command like
   netstat -naep | grep -v '^unix' | egrep '(LISTEN|udp)'
   to identify what might still be running+listening 
   on the network.
5. Limit remaining daemons to only listen on the "lo"
   (and possibly other) interface(s), where possible.
6. Look at what users/privileges the remaining daemons are
   running as/with and see if it's possible and relevant
   to tighten up.
7. Consider running (some of the) remaining daemons in
   a chroot'ed environment.

By now, ipchains/iptables could very well be unneeded (and thus candidates
for deletion, per rule 1), because all that's listening really should be
available, so packet filtering is waste of clock cycles and just another
error-potential.

When I say "better and safer", it's because such a methology leads to
simpler/leaner setups, less resources being used by unneeded software, and
less software to keep updated.

In the case of port 53 where you want it open to a specific subnet: BIND
can easily be configured for such needs, through its "listen-on" and/or
"listen-on-v6" configuration options.

-- 
Greetings from Troels Arvin, Copenhagen, Denmark