General firewall question

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

If I have my iptables setup to not allow in any traffic originating
from the internet, do I need to worry about leaving the PC on and
connected 24x7?  I realize there are possible holes, if I have a server
program running, but if I don't have any running and no ports allowed
in can I tell my paranoid network admin not to worry?  Thanks!

Re: General firewall question

I should also state that I'm aware of user applications, like the
browsers, have security problems.  So let's just throw applications to
the side and say that if I turn on the PC enable the firewall and walk
away, can it be compromized just by sitting there?  That is not my
plan, but that is the root of my question.

Re: General firewall question

On Sun, 13 Mar 2005 16:09:14 -0800, awburton wrote:

Quoted text here. Click to load it

If you "throw applications to the side", what is the point of being

  That is not my
Quoted text here. Click to load it

With all due respects, and maybe I didn't understand your messages, but,

either you should take full responsibility for the security of your system
yourself, or else you should find a way to work agreeably with whomever
has been assigned that responsibility.

Re: General firewall question

Quoted text here. Click to load it

All I'm trying to do here is simplify the question.  Basically, if I
have a properly configured firewall, and ignoring for the moment
vulnerabilities in user applications, are there anything other remote
access security issues to worry about?

Re: General firewall question

Aaron wrote:
Quoted text here. Click to load it
Iptables is a very good firewall. It can be somewhat difficult to
configure. I well designed iptables configuration is quite safe -- but
as I said it is hard to configure. After you get a trial configuration
you should test it out 1) from outside and 2) from inside. The testing
can be tricky also.

It is my experience that people new to iptables do not do a very good
job with their first few (sometime many) trial configurations. If you
are new to iptables then you should expect that your first tries will
not be 24/7 secure. If you have the help of a seasoned administrator you
should ask that person for help and advice. Also, even if you have an
administrator be careful as even seasoned professionals sometime don't
get the configuration right the first time.

For your trial configurations I would suggest more rather than less
logging. Log not only denied but also initial allowed connections. Then
carefully review your logs while doing your testing. Once you get a
configuration your are happy with you can remove some of the 'allow'
logging. I usually log initial connections for ssh, and ftp as my site
does not have a lot of this traffic. I also have ssh and ftp
redistricted to specific users and force them to use strong passwords --
that is, regular users CAN NOT change their passwords!

As others have said many times in this group "security is a process".
You should revisit your security plans on a regular basis and
periodically do all the testing and monitoring of your logs again and
again. It is a lot of work but it seems to be necessary.

I hope this helped.

Re: General firewall question

On Sun, 13 Mar 2005 15:49:32 -0800, awburton wrote:

Quoted text here. Click to load it

_IF_ you truly do not allow "any traffic originating from the internet",
then of course you would not have any internet connection.  Is that what
you meant to say?

Quoted text here. Click to load it

Get a doctor's appointment and a prescription for zolof or some such
(sorry, no experience or expertise here).  Or else smoke some Ganga or
drink lots of ethyl alcohol and your worry quotient will go way down.
Either you are connected or you are not connected.  Which is it?

What do you know about what ports you have open?  Have you done nmap scans
from outside?  Do you have authority to do those.  If so, why is your
provider paying a (another) network admin?  Just take the job and salary
yourself and do it.

Quoted text here. Click to load it

You are welcome.  A touch of paranoia is often useful in security issues.
Some people (maybe you) don't know that IM, VoIP and many other widely
used services are "servers".  Are you expecting your "network admin" to be
responsible for keeping your system and link working and trouble-free?  Or
can you cover that all by yourself?  

Re: General firewall question

Quoted text here. Click to load it
Quoted text here. Click to load it

The PC is still physically connect and I have out going traffic.

Quoted text here. Click to load it

I appreciate you trying to help and I am probably being overly
paranoid, but question is strickly concerned with iptables.

Quoted text here. Click to load it

I'm well aware of that and as I stated before "let's just throw
applications to the side".  I mean that in terms of this question.  Of
course I will be running programs and I'm aware of needing to maintain
them.  I just don't have the experience with running IPTABLES.  Before
I've always been behind a hardware firewall.  In this situation I won't
have that.

Re: General firewall question said:
Quoted text here. Click to load it

Well, iptables (or rather, the netfilter code in the kernel) is still
software, and software can have bugs. So, with a suitable bug in
netfilter it would be possible to mount some kind of attack (resource
consumption and perhaps kernel memory corruption come to mind) against
your machine.

So, it all depends on your level of paranoia.
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: General firewall question

Juha Laiho wrote:
Quoted text here. Click to load it
All routers have software or algorithms in them too. Even dedicated hard
coded logic like FPGA's etc. are still just as good as the algorithms
used, so if you want to be paranoid it is easy.

The netfilter/iptables code has been pretty good so far. The biggest
problems I've seen aren't with the code but with the configuration. Then
again if one wants to be paranoid, maybe the sun will explode or heck
how about those tidal waves:)

Site Timeline