Is my computer safe enough if I use just iptables?

Scot L. Harris webid at cfl.rr.com
Fri Oct 15 13:08:51 UTC 2004 

On Fri, 2004-10-15 at 07:32, VJ wrote:
> Hi,
>   I have firewall script using iptables which runs from
> /etc/rc.d/rc.local. This script does nothing except allowing just http,
> smtp for outer world(inbound). All type of connections are allowed from
> the machine to the outerworld (outbound). I have not set anything else
> like in hosts.deny/hosts.allow or sshd.conf.
>   My question is, according to your knowledge, is my computer safe enough?
> Till now I have not suffered from any proble, but this cannot go on
> for-ever.

I don't know that anyone can judge if your system is "safe enough".  A
lot of that depends on how much risk you are willing to take with your
system.  I guess if you provide your IP address there would be a lot of
people willing to scan and try to hack your system for you, but I don't
think you really want to invite that kind of attention. :)

For home users I always recommend using one of those cheap hardware
firewalls between your systems and the Internet.  I know they are not
perfect but they are simple and easy to use.  I recommend this as they
are cheap and easy to setup and once in place you don't really have to
worry about them.  If you have your system directly connected then at
some point you may do something which stops iptables and could expose a
whole slew of ports and services to the Internet which may or may not
have vulnerabilities.  Particularly if you did not go through your
system and disable all unused services.

In the real world where you have regular firewalls in place most
companies not only block most things from coming into their network but
also block most things going out of their network.  This prevents a lot
of trojans from connecting to their master servers from inside the
firewall (although a lot of stuff tries to use port 80 and other similar
ports for services that are normally allowed to exit your LAN, but then
you can use proxies to handle some of that).

So it really comes down to a risk assessment that you have to do based
on your requirements.  Remember, there is nothing 100% secure that is
connected to the Internet.  You have to put enough security on your
system so that the vast majority of hackers don't find your system
easier to hack than someone else's system.  If you can achieve that then
you are probably secure enough.

Kind of like the two guys who stumble on a tiger in the woods.  The
first guy bends down and starts to change into tennis shoes.  The other
guy says "Don't you think you better be trying to out run the tiger?" 
The first guy says, "Don't have to, I just have to out run you."


-- 
Scot L. Harris
webid at cfl.rr.com

Go climb a gravity well!

More information about the fedora-list mailing list