Identify Protective Firewall Needs


There is sufficient weight of evidence from media reports and from professional security sources to justify the claim that all publicly exposed network interfaces must be protected. Crackers find an unprotected Unix/Linux system hard to resist.

Many network administrators argue that internal network traffic can be trusted and that internal computer systems do not require stringent protective barriers from people inside the organization. On the other hand, the conclusion of at least one researcher is that insider jobs are the single largest financial threat to information technology users (as found at http://research.rutgers.edu/~ungurean/610/Security.ppt).

In 2000, Global Health Trax Inc. reported that its old web site was opened to unauthorized access in January, possibly because of sabotage by disgruntled employees (see http://www2.norwich.edu/mkabay/iyir/2000.PDF). Although there was no evidence of penetration, detailed account information about hundreds of distributors was unprotected for several hours, including bank account and credit card numbers .

There is therefore a good argument that even internal network interfaces should be treated with the same suspicion that the external interface attracts. You should consider the risk and structure your firewall to provide a measure of protection that matches the level of risk you are comfortable with. If you are as paranoid as we are, you may choose to be totally paranoid .

When security is at risk, it is better to be prepared than to be sorry later. You may conclude otherwise , but the weight of evidence strongly demonstrates that computer systems and the resources they hold must be protected from insiders as much as from outsiders.

Protective Strategy

Forward thinking is essential in firewall design. Consider what will happen in the event that specific firewall rules fail. Even though the risk may be minimal, still consider the effect of a system intrusion and exposure of critical data. The best policy is to never give a criminal a fair break. The default policy on all network interfaces should be to specifically drop (or deny) network traffic and thus prevent network interface access.

Firewall rules can be created that will specifically permit certain network traffic to pass to the Linux system. Table 3-4 provides guidelines of what may be permitted through the firewall.

Every server on your network should be assessed from a risk and exposure perspective. If a machine stores only inconsequential data, it may not warrant the effort and overhead of affording it a high level of protection. On the other hand, every server that stores and/or processes sensitive data really ought to be well protected ”and monitored. Simply protecting a system once is not a sufficient measure, unless it is monitored , action is taken when necessary, and regular updates are made to keep pace with new potentially aggressive methods by which the system may be compromised.

This is a good place to reiterate that all services that are running on a computer system may be attacked . In fact, the only secure computer system is one that is turned off and embedded in a steel reinforced block of concrete.

An attacker may attempt to flood your system with seemingly legitimate network service requests , effectively denying legitimate users from being serviced. This is known as a denial-of-service (DoS) attack. An attacker may attempt to exploit a known weakness or security hole in a service, or they may misuse legitimate credentials for unauthorized purposes. Your duty as a networking professional is to make unauthorized network service use as difficult as possible.

One last matter should be noted also. The firewall rules should permit network requests only to services that are actually being provided on the system. Never permit system access for services that are not operational and that are being routinely monitored.

Configure the Firewall

Now that you have carefully considered the default policy regime as well as specific security rules that can be applied, the next challenge is to implement them.

This book encourages you to make use of standard facilities provided by Red Hat and SUSE for use with their enterprise Linux products. The building of specific, hand-crafted firewall rules requires experience and a detailed understanding of the principles of network operation. A clear, in-depth understanding of the techniques used by crackers and potential assailants is also essential to the design and implementation of a purpose-built secure firewall.

SUSE Linux Firewall Configuration

The configuration of the standard SLES8 Linux firewall facility may be performed using the YaST2 toolset. The following procedure will take you through the necessary steps for a system that has two network interfaces, one external Internet connection and the other connected to a private network.

  1. Log into the system as the user root.

  2. Click the toolbar icon with the SUSE gecko logo with a hammer and a spanner through it.

  3. Select YaST2 Modules Security & Users Firewall.

  4. The panel shown in Figure 3-6 will be displayed.

    click to expand
    Figure 3-6: SUSE Linux Firewall Configuration (Step 1 of 4): Basic Settings

  5. Select the External and Internal Interfaces in the boxes shown in Figure 3-6.

  6. Click Next.

  7. Click on the services you want to enable, as shown in Figure 3-7. If you enable protection of the internal network interface, it is necessary to select the protocols that internal users need to access via the internal interface. If you choose to not protect the internal interface, select only protocols that foreign users (outside your internal network) need to access.

    click to expand
    Figure 3-7: SUSE Linux Firewall Configuration (Step 2 of 4): Services

  8. Click Next.

  9. As shown in Figure 3-8, select the features you want to enable, paying careful attention to the guidelines in the left panel regarding each option. It is essential to enable traffic forwarding and masquerading if the internal network interface uses an RFC1918 (private) class network address (in the range of 192.168.*.*, 172.16.*.*, or 10.*.*.*).

    click to expand
    Figure 3-8: SUSE Linux Firewall Configuration (Step 3 of 4): Features

  10. Click Next.

  11. Select at least the top two logging options (as shown in Figure 3-9). This will permit you to identify from the system log files (/var/log/messages, /var/log/warn) the source IP address of alien requests that promoted the rules table to log this information. This is an essential part of a defense process.

    click to expand
    Figure 3-9: SUSE Linux Firewall Configuration (Step 4 of 4): Logging Options

  12. Click Next.

  13. Figure 3-10 shows the control panel that appears. Click Continue to apply the firewall rule changes. The dialog panel shown in Figure 3-11 will report progress as the new rules are applied.

    click to expand
    Figure 3-10: SUSE Linux Save settings and activate firewall

    click to expand
    Figure 3-11: SUSE Linux Firewall configuration ”saving settings

  14. When the progress meter shows 100%, click Quit to exit the firewall configuration tool.

Your SUSE system firewall has now been configured.

Red Hat Linux Firewall Configuration

Configuration of a basic firewall for Red Hat Enterprise Linux AS 3.0 can be achieved by following these steps:

  1. Log onto the system as the root user.

  2. On the desktop, click the Start Here icon.

  3. Select System Settings Security Level.

  4. The panel shown in Figure 3-12 will appear. Select the Security Level and the protocols you want to permit to access this machine. Also check the network interfaces that you want to trust. Take care with your selection ”any interface you enable will be configured as a trusted device.

    click to expand
    Figure 3-12: The Red Hat firewall configuration tool

  5. Click OK.

  6. The dialog box shown in Figure 3-13 provides an opportunity to void the change or to commit it. Click Yes to proceed.

    click to expand
    Figure 3-13: The Red Hat firewall configuration confirmation

The Red Hat Linux firewall is now configured and applied. Unlike the default SUSE firewall, the Red Hat default sets a default policy to accept all incoming traffic on a network interface. The correct operation of the rules is imperative.

Heads Up  

Red Hat sets a default policy to accept all incoming traffic on a network interface. This makes it critical that you configure rules to counter this.

An Alternative Simple Linux Firewall Configuration

Listing 3-3 shown at the end of this chapter was obtained by executing the iptables “L command on a SLES8 system that has had a firewall enabled through use of the YaST2 facility.

The complexity of these rules is readily apparent. Both input and forwarding rules have a default policy to DROP incoming traffic. Exceptions are then made to permit desired traffic only. The substantial use of logging details of unwanted traffic is essential to permit the potential identification of sources of hostile traffic.

If you want to understand how the firewall rules operate , take some time to familiarize yourself with the structure, design, and method of implementation of firewall rules and exception handling. The exception reporting methods used in the script that has been generated on this system is extensive and provides a large volume of logged data.

Heads Up  

It makes sense to monitor and act on all logged data. If you do not intend to monitor and act on the exception reports, it does not make sense to create voluminous detailed information.

If you want to install an alternative firewall strategy, the following script must be modified to meet local needs. It can be configured to run as part of the startup process from the script /etc/rc.d/rc.local or from any alternative startup script. If you decide to use an alternative startup method, be sure to implement the firewall as early as possible, preferably before network services are started.

The nice thing about this script is the ease with which you can add or remove protocols as well as the fact that it uses a default policy to drop all incoming network requests unless a rule explicitly specifies otherwise. This leaves less room for risk of failure.

Listing 3-2: An alternative masquerading firewall script
start example
 #!/bin/sh echo -e "\n\nLoading NAT firewall.\n" IPTABLES=/usr/sbin/iptables EXTIF="eth0" INTIFA="eth1" echo "   External Interface:  $EXTIF" echo "   Internal Interfaces: $INTIFA" echo -en "   loading modules: " echo "  - Verifying that all kernel modules are ok" /sbin/depmod a echo -en "ip_tables, " /sbin/insmod ip_tables echo -en "ip_conntrack, " /sbin/insmod ip_conntrack echo -en "ip_conntrack_ftp, " /sbin/insmod ip_conntrack_ftp echo -en "iptable_nat, " /sbin/insmod iptable_nat echo -en "ip_nat_ftp, " /sbin/insmod ip_nat_ftp echo ".  Done loading modules." echo "   Clear existing rules, then setting default policy.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT  $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT  $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD  $IPTABLES -t nat F $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INTIFA -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable incoming traffic for: SSH, SMTP, DNS(tcp), HTTP, HTTPS for i in 22 25 53 80 443 do     $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $i  -j ACCEPT done # Allow DNS(udp) $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53  -j ACCEPT echo "Allow all connections OUT and only existing and specified ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "   Enabling IP_forwarding.. " echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "\nNAT firewall done.\n" 
end example
 

The primary defense mechanism in use today is the firewall, with secondary protection afforded by tcp_wrappers . Your firewall rules table includes provision for logging of network access attempts that are either unexpected, originate from unacceptable sources, or exhibit potentially detrimental characteristics.

Hopefully, you will have deduced that there can be no such thing as a perfectly secure firewall. It is strongly recommended that you work with an attitude that every reported exception should be treated with suspicion and that you will identify the source of the exception and take appropriate action to protect the integrity of the system as well as that of the network resources it is designed to protect.

In a later chapter, you will configure facilities that will automate the process of monitoring firewall logs with an emphasis on inducing you to take appropriate corrective action. We hope you are ready to move on ”there is more work to be done.

Listing 3-3: SUSE SLES 8.0 firewall rules for dual interface configuration
start example
 Chain INPUT (policy DROP) target     prot opt source               destination        ACCEPT     all  --  anywhere             anywhere          LOG        all  --  loopback/8           anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' LOG        all  --  anywhere             loopback/8         LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP       all  --  loopback/8           anywhere          DROP       all  --  anywhere             loopback/8        LOG        all  --  192.168.57.128       anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP       all  --  192.168.57.128       anywhere          LOG        all  --  linux.demoworld.org  anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOFING ' DROP       all  --  linux.demoworld.org  anywhere          input_ext  all  --  anywhere             linux.demoworld.org input_int  all  --  anywhere             192.168.57.128    DROP       all  --  anywhere             192.168.1.255     DROP       all  --  anywhere             255.255.255.255   DROP       all  --  anywhere             192.168.57.255    DROP       all  --  anywhere             255.255.255.255   LOG        all  --  anywhere             linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ACCESS_DENIED_INT ' DROP       all  --  anywhere             linux.demoworld.org LOG        all  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ILLEGAL-TARGET ' DROP       all  --  anywhere             anywhere          Chain FORWARD (policy DROP) target     prot opt source               destination        TCPMSS     tcp  --  anywhere             anywhere \ tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT     all  --  anywhere             anywhere          ACCEPT     all  --  anywhere             anywhere          forward_ext  all  --  anywhere             anywhere          forward_int  all  --  anywhere             anywhere          LOG        all  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-ILLEGAL-ROUTING ' DROP       all  --  anywhere             anywhere          ACCEPT     all  --  anywhere             anywhere \ state NEW,RELATED,ESTABLISHED LOG        all  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-FORWARD-ERROR ' Chain OUTPUT (policy ACCEPT) target     prot opt source               destination        ACCEPT     all  --  anywhere             anywhere          LOG        icmp --  anywhere             anywhere           icmp time-exceeded \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-TRACEROUTE-ATTEMPT ' ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere           icmp port-unreachable ACCEPT     icmp --  anywhere             anywhere \ icmp fragmentation-needed ACCEPT     icmp --  anywhere             anywhere \ icmp network-prohibited ACCEPT     icmp --  anywhere             anywhere           icmp host-prohibited ACCEPT     icmp --  anywhere             anywhere \ icmp communication-prohibited DROP       icmp --  anywhere             anywhere \ icmp destination-unreachable ACCEPT     all  --  anywhere             anywhere \ state NEW,RELATED,ESTABLISHED LOG        all  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-OUTPUT-ERROR ' Chain forward_dmz (0 references) target     prot opt source               destination        LOG        all  --  192.168.1.0/24       anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.1.0/24       anywhere          LOG        all  --  192.168.57.0/24      anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.57.0/24      anywhere          LOG        all  --  anywhere             192.168.57.128     LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP       all  --  anywhere             192.168.57.128    LOG        all  --  anywhere             linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP       all  --  anywhere             linux.demoworld.org ACCEPT     icmp --  anywhere             anywhere           state RELATED icmp \ destination-unreachable ACCEPT     icmp --  anywhere             anywhere state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     all  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED ACCEPT     all  --  anywhere             anywhere           state \ RELATED,ESTABLISHED LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere          Chain forward_ext (1 references) target     prot opt source               destination        LOG        all  --  192.168.57.0/24      anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.57.0/24      anywhere          LOG        all  --  anywhere             192.168.57.128     LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP       all  --  anywhere             192.168.57.128    ACCEPT     icmp --  anywhere             anywhere           state RELATED \ icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     all  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere          Chain forward_int (1 references) target     prot opt source               destination        LOG        all  --  192.168.1.0/24       anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.1.0/24       anywhere          LOG        all  --  anywhere             linux.demoworld.orgLOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-CIRCUMVENTION ' DROP       all  --  anywhere             linux.demoworld.org ACCEPT     icmp --  anywhere             anywhere           state RELATED icmp \ destination-unreachable ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     all  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED ACCEPT     all  --  anywhere             anywhere           state \ RELATED,ESTABLISHED LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere          Chain input_dmz (0 references) target     prot opt source               destination        LOG        all  --  192.168.1.0/24       anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.1.0/24       anywhere          LOG        all  --  192.168.57.0/24      anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.57.0/24      anywhere          ACCEPT     icmp --  anywhere             anywhere           icmp echo-request ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp address-mask-reply LOG        icmp --  anywhere             anywhere           icmp redirect \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp type 2 LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP       icmp --  anywhere             anywhere          reject_func  tcp  --  anywhere             anywhere           tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT     tcp  --  anywhere             anywhere           state \ ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT     tcp  --  anywhere             anywhere           state \ ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT     udp  --  frodo.demoworld.org  anywhere           state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 DROP       udp  --  anywhere             anywhere           udp dpt:ssh DROP       udp  --  anywhere             anywhere           udp dpt:bootpc DROP       udp  --  anywhere             anywhere           udp dpt:sunrpc DROP       udp  --  anywhere             anywhere           udp dpt:sunrpc DROP       udp  --  anywhere             anywhere           udp dpt:x11 ACCEPT     udp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED udp dpts:1024:65535 LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ source-quench LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere          Chain input_ext (1 references) target     prot opt source               destination        LOG        all  --  192.168.57.0/24      anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.57.0/24      anywhere          LOG        icmp --  192.168.1.0/24       anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-ACCEPT-SOURCEQUENCH ' ACCEPT     icmp --  192.168.1.0/24       anywhere           icmp source-quench ACCEPT     icmp --  anywhere             anywhere           icmp echo-request ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp address-mask-reply LOG        icmp --  anywhere             anywhere           icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp type \ 2 LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP       icmp --  anywhere             anywhere          LOG        tcp  --  anywhere             anywhere           tcp \ dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED tcp dpt:http LOG        tcp  --  anywhere             anywhere           tcp \ dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED tcp dpt:https LOG        tcp  --  anywhere             anywhere           tcp dpt:smtp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED tcp dpt:smtp LOG        tcp  --  anywhere             anywhere           tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ NEW,RELATED,ESTABLISHED tcp dpt:ssh reject_func  tcp  --  anywhere             anywhere           tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:ssh \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:sunrpc \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpt:x11 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP ' DROP       tcp  --  anywhere             anywhere           tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT     tcp  --  anywhere             anywhere           state \ ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT     tcp  --  anywhere             anywhere           state \ ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT     udp  --  frodo.demoworld.org  anywhere           state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 DROP       udp  --  anywhere             anywhere           udp dpt:ssh DROP       udp  --  anywhere             anywhere           udp dpt:bootpc DROP       udp  --  anywhere             anywhere           udp dpt:sunrpc DROP       udp  --  anywhere             anywhere           udp dpt:sunrpc DROP       udp  --  anywhere             anywhere           udp dpt:x11 ACCEPT     udp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED udp dpts:1024:65535 ACCEPT     udp  --  anywhere             anywhere           state ESTABLISHED \ udp dpts:61000:65095 LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere          Chain input_int (1 references) target     prot opt source               destination        LOG        all  --  192.168.1.0/24       anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-ANTI-SPOOF ' DROP       all  --  192.168.1.0/24       anywhere          ACCEPT     all  --  anywhere             anywhere          ACCEPT     icmp --  anywhere             anywhere           icmp echo-request ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp echo-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp destination-unreachable ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp time-exceeded ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp parameter-problem ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp timestamp-reply ACCEPT     icmp --  anywhere             anywhere           state \ RELATED,ESTABLISHED icmp address-mask-reply LOG        icmp --  anywhere             anywhere           icmp redirect LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-ICMP-CRIT ' LOG        icmp --  anywhere             anywhere           icmp type 2 LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-ICMP-CRIT ' DROP       icmp --  anywhere             anywhere          reject_func  tcp  --  anywhere             anywhere           tcp dpt:ident \ flags:SYN,RST,ACK/SYN LOG        tcp  --  anywhere             anywhere           tcp dpts:1024:65535 \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-ACCEPT ' ACCEPT     tcp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT     tcp  --  anywhere             anywhere           state ESTABLISHED \ tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT     tcp  --  anywhere             anywhere           state ESTABLISHED \ tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT     udp  --  frodo.demoworld.org  anywhere           state \ NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535 ACCEPT     udp  --  anywhere             anywhere           state \ RELATED,ESTABLISHED udp dpts:1024:65535 LOG        tcp  --  anywhere             anywhere           tcp \ flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp source-quench \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp redirect LOG \ evel warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp echo-request \ LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ timestamp-request LOG level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        icmp --  anywhere             anywhere           icmp \ address-mask-request LOG level warning tcp-options ip-options prefix \ 'SuSE-FW-DROP-DEFAULT ' LOG        udp  --  anywhere             anywhere           LOG level warning \ tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT ' LOG        all  --  anywhere             anywhere           state INVALID LOG \ level warning tcp-options ip-options prefix 'SuSE-FW-DROP-DEFAULT-INVALID ' DROP       all  --  anywhere             anywhere Chain reject_func (3 references) target     prot opt source               destination REJECT     tcp  --  anywhere             anywhere           reject-with \ tcp-reset REJECT     udp  --  anywhere             anywhere           reject-with \ icmp-port-unreachable REJECT     all  --  anywhere             anywhere           reject-with \ icmp-proto-unreachable 
end example
 



Hardening Linux
Hardening Linux
ISBN: 0072254971
EAN: 2147483647
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net