BBS水木清华站∶精华区
发信人: zixia (Do you zixia tonight), 信区: Linux
标 题: 11. Advice on Packet Filter Design he
发信站: BBS 水木清华站 (Wed Oct 11 01:19:05 2000) WWW-POST
Next Previous Contents
----------------------------------------------------------------------
11. Advice on Packet Filter Design
he
Common wisdom in the computer security arena is to block everything, then
open up holes as neccessary. This is usually phrased `that which is not
explicitly allowed is prohibited'. I recommend this approach if security
is your maximal concern.
Do not run any services you do not need to, even if you think you have
blocked access to them.
If you are creating a dedicated firewall, start by running nothing, and
blocking all packets, then add services and let packets through as
required.
I recommend security in depth: combine tcp-wrappers (for connections to
the packet filter itself), proxies (for connections passing through the
packet filter), route verification and packet filtering. Route
verification is where a packet which comes from an unexpected interface
is
dropped: for example, if your internal network has addresses 10.1.1.0/24,
and a packet with that source address comes in your external interface,
it
will be dropped. This can be enabled for one interface (ppp0) like so:
n
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#
Or for all existing and future interfaces like this:
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo 1 > $f
# done
#
Debian does this by default where possible. If you have asymmetric
routing
(ie. you expect packets coming in from strange directions), you will want
to disable this filtering on those interfaces.
O
Logging is useful when setting up a firewall if something isn't working,
but on a production firewall, always combine it with the `limit' match,
to
prevent someone from flooding your logs.
I highly recommend connection tracking for secure systems: it introduces
some overhead, as all connections are tracked, but is very useful for
he
controlling access to your networks. You may need to load the
`ip_conntrack.o' module if your kernel does not load modules
automatically, and it's not built into the kernel. If you want to
accurately track complex protocols, you'll need to load the appropriate
helper module (eg. `ip_conntrack_ftp.o').
# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad
pack
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad
pa
# iptables -A no-conns-from-ppp0 -j DROP
# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0
Building a good firewall is beyond the scope of this HOWTO, but my advice
is `always be minimalist'. See the Security HOWTO for more information on
testing and probing your box.
----------------------------------------------------------------------
n
Next Previous Contents
--
)))))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((生命的欢喜可以再影印一张吗?((((((((((((
))))))))))))老去的热情可以再拉皮整形吗?))))))))))))
((((((((((((病中的真理可以再传真校对吗?((((((((((((
))))))))))))死掉的爱情可以再输入键出吗?))))))))))))
(((((((((((((((((((((((((((((((((((((((((((((((((((
※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.45.49]
BBS水木清华站∶精华区