Firewall suggestion: drop unsolicted input, accept output

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
GullibleJones
White ninja
White ninja
Posts: 13
Joined: 10 Jan 2012, 00:10
Location: The Independent Republic of Massachusetts

Firewall suggestion: drop unsolicted input, accept output

Post#1 by GullibleJones » 21 Feb 2013, 03:27

Taking a look at the Porteus firewall in 2.0, I've noticed it allows unsolicited input on allowed ports, as well as output. This is underutilizing iptables' stateful capabilities IMO, and maybe not very prudent.

I think it would be better to block all unsolicited inbound connections, period; and allow everything outbound. That would probably be a bit more secure, and more importantly would not annoy users who needed to make outbound requests on weird ports.

e.g. a set of iptables rules (usable for both IPv4 and IPv6) that did that might look, at a bare minimum, like this:

Code: Select all

*filter
# By default, drop everything except our own output
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
# Loopback - don't need to specify output rules because all output is accepted
-A INPUT -i lo -j ACCEPT
# Allow inbound for solicited connections only
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
Mind, that doesn't log anything, so it's not so great either; but the point is it doesn't leave any ports open to unsolicited connections, while not getting in the user's way with outbound stuff. :)

(But NB: I'm not an expert on iptables, so I could be way off. And all of the above being said, a firewall doesn't help much if a user runs something hostile.)

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Firewall suggestion: drop unsolicted input, accept outpu

Post#2 by brokenman » 22 Feb 2013, 00:12

Thanks for the feedback. Will check out the settings and test a little and perhaps integrate into the Settings Centre.
How do i become super user?
Wear your underpants on the outside and put on a cape.

Post Reply