Iptables initialization

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Feb 14 08:47:07 PST 2004


Okay, for those who are going to assume my tone to be hostile in this
email.  Try to rememeber to breathe.  I am not hostile, I am factual,
and reality itself is merciless.

On Thu, 2004-02-12 at 22:00, Robert Connolly wrote:
> On February 12, 2004 05:54 pm, Dagmar d'Surreal wrote:
> > PRINCIPLE OF LEAST PRIVILEGE: That which is not explicitly allowed, is
> > automatically denied.
> 
> This is much easier said then done. Firewalls, and rbac too, can only filter 
> protocols they know about. Much more than tcpip can pass threw ethernet or 
> dsl cable from someone on the same physical network (your isp). I don't know 
> much about iptables or how many protocols it filters, but a default deny 
> policy would have to include arp, ipx, and misc protocols that can travel on 
> a lan. I don't know if there is a way to block unknown protocols...

No.  This is wrong thinking.  Firewalls and access lists do not filter
things that they don't know about--they deny them by fiat.  Remember the
Principle of Least Privilege.  Having a machine route IPX packets
without being able to filter them is a vulnerability, and in practice
you generally don't want IPX crossing firewall boundaries at all
anyway.  ARP is _not about_ to pass through a router since it would be
nearly useless to do so, and the misc protocols you mention in my
experience generally amount to IPSEC and VoIP which _are_ filterable.

> > (With respect to a host's participation in a network, it means that the
> > machine should initially respond to *no* packets whatsoever.  When a
> > host is acting as a firewall, it is especially important that this be
> > the case, and as to routers, it's actually documented in an RFC for
> > machines acting as routers that they should have their policies in place
> > before enabling any interface for routing.)
> 
> The RFC also says firewalls should reply to blocked traffic with reset 
> packets, and somewhere else it says /sbin/false should have --help. The 
> guildlines are not always motivated by security.

I've yet to spot one where it says it's /required/ that blocked traffic
be responded to.  That part is optional and only needed as a convenience
if you actually care to let someone know that traffic of a particular
type is administratively denied as opposed to simply not available.

> > Mind you, what folks should be thinking about is a generic method (i.e.,
> > a best practice) for implementing firewalling rulesets, not a list of
> > specific firewall rules that people should use.
> >
> > (hint: firewalling rules that won't match are a waste of CPU cycles)
> 
> As far as I know blackhole routing uses less resources than iptables, but I'm 
> guessing iptables gets to filter before packets go to routing. They should 
> work well together though.

You should read the HOWTO for iptables... there's a very nice diagram in
there showing the operational flow of traffic through the chains.  The
built-in chains of INPUT, OUTPUT, and FORWARD are passed through _after_
routing decisions, however we also have a couple of other chains
(POSTROUTING and PREROUTING IIRC) which trigger during the initial
stage, and the packets get passed through _anyway_ if we use even one of
these so we might as well take advantage of them to keep things tidy. 
...not to say that routing bogons directly to nowhere isn't a bad idea,
but it makes it difficult to log the presence of excess bogon traffic
and hinders Detection.

(Note the curious words I've been capitalizing folks.  They're part of a
formal model I intend to explain before the week is out)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list