[Gllug] Basic Firewall Policy
Bruce Richardson
itsbruce at uklinux.net
Thu Feb 12 12:40:58 UTC 2004
On Thu, Feb 12, 2004 at 10:44:51AM +0000, Rev wrote:
> Using one of the many available firewalling scripts should do the
> trick. The basic principle you want is to close off EVERY port you
> don't have a really good reason for keeping open.
This may sound daft but try not to look at it from a ports perspective.
Use iptables and look at it from a connections point of view. The way
do do it with a stateful firewall tool is look at what kind of
traffic you will allow in any given direction, not (initially) which
ports or services.
So you might start by saying "no traffic in any direction", then you
might say "Allow connections out in direction X, outbound traffic that
relates to any already established connections in direction X and any
incoming traffic from direction X that is associated with established
connections". That is actually sufficient for a typical home user
set-up. If you want to block certain kinds of outgoing connections,
*then* you start getting specific but with a stateful firewall you
establish general policy first.
So if you then want to allow access from direction X to internal
services, you may first need to add a rule to say "allow outgoing
traffic that relates to an established inbound connection", to prevent
connections to inbound services from being snarled in restrictions that
you apply to outgoing connections. Then you can add rules to enable
specific incoming connections.
--
Bruce
Hummingbirds are the only birds that can fly backwards, apart from
ostriches if you punch them hard enough.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040212/501c2ff1/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list