[techtalk] Default Deny

Brian Engle bengle at fti-net.com
Thu Jan 27 16:07:22 EST 2000 

someone might want to correcct me if I'm wrong on this....

my default firewall rules are set to REJECT:

# Change default policies to REJECT.  
#
# We want to only EXPLICTLY allow what traffic is allowed IN and OUT of the
# firewall.  All other traffic will be implicitly blocked.
#
echo "  - Set default policies to REJECT"
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT

REJECT is a little different than DENY in that rejecting it just looks at
the originating IP, sees if it's allowed, if not, connection closed...if
telnet traffic is rejected and someone tries to telnet, the client almost
immediately sends the message "Connection Refused." whereas if the rule is
set to DENY, it takes a little longer to respond and the output is usually
something like "Connection Closed by Foreign/Remote Host" which leads me to
believe that the connection was opened, it checked to see if it was allowed,
when it's not, it immediately closes the connection. I know it's getting
down to semantics, but REJECT checks before the connection is even
established, DENY establishes a connection before checking...if you're using
the firewall for security purposes (what other reason is there to have a
firewall?) then I would go with REJECT, but in the end, it's up to the user
I suppose....

In my firewall/masqing script, the only entry I have for DNS anywhere is:

# DNS: If you are running an authoritative DNS server, you must open
#      up the DNS ports on all interfaces to allow lookups.  If you are
#      running a caching DNS server, you will need to at least open the DNS
#      ports to internal interfaces.
#
#      It is recommend to secure DNS by restricting zone transfers and split
#      DNS servers as documented in Step 4.
#
# Disabled by default.
# echo "Optional parameter: DNS server"
#/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE -d $UNIVERSE domain
#/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $UNIVERSE domain

now since I am not running an authoritative DNS, I leave this section
commented out.
however, I can still get DNS to work fine. 

I am referred to the recent post that it comes back on a high port (ie. >
1024), in which case you might use this ruleset:

# HIGH PORTS: 
#
# Enable all high unprivileged ports for all reply TCP/UDP traffic
#
# NOTE: The use of the "! -y" flag filters TCP traffic that doesn't have the
#       SYN bit set.  In other words, this means that any traffic that is
#       trying to initiate traffic to your server on a HIGH port will be
#       rejected.
#
#       The only HIGH port traffic that will be accepted is either return
#       traffic that the server originally initiated or UDP-based traffic.
#
# NOTE2: Please note that port 20 for ACTIVE FTP sessions should NOT use
#        SYN filtering.  Because of this, we must specifically allow it in.
#
echo "  - Enabling all input REPLY (TCP/UDP) traffic on high ports."
/sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP
$UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p tcp -s $UNIVERSE ftp-data -d $EXTIP
$UNPRIVPORTS
/sbin/ipchains -A input -j ACCEPT -p udp -s $UNIVERSE -d $EXTIP $UNPRIVPORTS


since this is a shell script, there is ample use of variables, to make
things easier, here are some of the variable declarations for the above:

UNIVERSE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"


this way, info coming in on high ports gets through only if it was requested
by a machine on the local net. perhaps this might help. 

You might also check
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html which is where I
got the original version of my firewall script, it's from a package called
TrinityOS by David Ranch...I've bastardized the firewall script, and that
was really the only thing I used from the tar file he offers there, but if
you follow the link for TrinityOS, there's a really long page that's got
firewall rulesets for ipchains and ipfwadm, along with several other ways to
improve linux system security, which files need to be chmod 4xxx to run and
which ones don't, which files need to be world-readable, things like that.
There's a shell script that you can run that will do all this for you in the
tar file, but I would suggest a backup first, I tried it on a mandrake
machine and afterwards it refused to boot, don't kow if it was something the
script changed or if it was some other program I had run or what, but I've
tried to avoid running the script to save myself a reinstall. maybe in
another week or two I'll get brave enough to try it again. But the
firewall/masqing script is great...I've learned everything I know about
ipchains from it, the commenting is excently, great for any newbie, pretty
much all you need to know how to do is edit a text file or two, put it in
/etc/rc.d/ and have it run at startup....if you're on a modem connection,
you probably also want to put it in /etc/ppp/ip-up so that it re-executes
with your new external IP (if you get dynamic IP assigned by your ISP)...I
can't give it a high enough review.....


Brian

> -----Original Message-----
> From: Subba Rao [mailto:subb3 at attglobal.net]
> Sent: Thursday, January 27, 2000 11:52 AM
> To: techtalk at linuxchix.org
> Subject: [techtalk] Default Deny
> 
> 
> 
> Hi,
> 
> I have been using ipchains for a while and am fairly 
> comfortable with them.
> 
> Now my filtering needs are growing and becoming more 
> specific. So, I decided
> to impose the DENY policy as the default on the "input" chain 
> (for the external
> interface). After I DENY everything at first and try to 
> implement the following
> rule:
> 
>   1. Allow only specific subnets on the external interface to 
> port X, on input chain.
> 
> I cannot go out to the Web nor resolve any DNS names. Mail 
> will not go out.
> My system does have a small DNS which forwards requests to my 
> ISP's nameserver.
> Nothing really works.
> 
> ======= The default DENY Policy on input chain ======
>         ipchains -P input DENY
>         ipchains -A input -i lo -j ACCEPT
>         ipchains -A input -i ppp0 -s 10.0.0.0/8 -l -j DENY
>         ipchains -A input -i ppp0 -p TCP -s 0.0.0.0/0 -d 
> $LOCALIP X -l -j ACCEPT
> 
>         ipchains -A input -i ppp0 -p UDP -s I.S.P.NS -d 
> $LOCALIP 53 -j ACCEPT
>         ipchains -A input -i ppp0 -p UDP -s I.S.P.NS1 -d 
> $LOCALIP 53 -j ACCEPT
> 
> ======= The default DENY Policy on input chain ======
> 
> Any idea how to use the default DENY policy and yet going out 
> to the Internet and
> use the Internet services?
> 
> Subba Rao
> subb3 at attglobal.net
> http://pws.prserv.net/truemax/
> 
>  => Time is relative. Here is a new way to look at time. <=
> http://www.smcinnovations.com
> 
> 
> 
> 
> ************
> techtalk at linuxchix.org   http://www.linuxchix.org
> 

************
techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list