Firewall suggestion: drop unsolicted input, accept output
Posted: 21 Feb 2013, 03:27
Taking a look at the Porteus firewall in 2.0, I've noticed it allows unsolicited input on allowed ports, as well as output. This is underutilizing iptables' stateful capabilities IMO, and maybe not very prudent.
I think it would be better to block all unsolicited inbound connections, period; and allow everything outbound. That would probably be a bit more secure, and more importantly would not annoy users who needed to make outbound requests on weird ports.
e.g. a set of iptables rules (usable for both IPv4 and IPv6) that did that might look, at a bare minimum, like this:
Mind, that doesn't log anything, so it's not so great either; but the point is it doesn't leave any ports open to unsolicited connections, while not getting in the user's way with outbound stuff. 
(But NB: I'm not an expert on iptables, so I could be way off. And all of the above being said, a firewall doesn't help much if a user runs something hostile.)
I think it would be better to block all unsolicited inbound connections, period; and allow everything outbound. That would probably be a bit more secure, and more importantly would not annoy users who needed to make outbound requests on weird ports.
e.g. a set of iptables rules (usable for both IPv4 and IPv6) that did that might look, at a bare minimum, like this:
Code: Select all
*filter
# By default, drop everything except our own output
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
# Loopback - don't need to specify output rules because all output is accepted
-A INPUT -i lo -j ACCEPT
# Allow inbound for solicited connections only
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
(But NB: I'm not an expert on iptables, so I could be way off. And all of the above being said, a firewall doesn't help much if a user runs something hostile.)