Re: ipchains firewalling question

To: Mark Brown <broonie@tardis.ed.ac.uk>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: ipchains firewalling question
From: Patrick Olson <compman@internetcds.com>
Date: Thu, 2 Sep 1999 10:53:49 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990902100857.28120D-100000@picard.internetcds.com>
In-reply-to: <[🔎] 19990902143559.A22755@tardis.ed.ac.uk>

> > if you use dhcp for anything, you must enable source/destination for
> > 255.255.255.255 as well as the routes for this. This caught me some time
> > ago :(
> 
> Make sure you're allowing ident connections.  Even if you don't answer
> them, you want to refuse connections rather than dropping the packets.
> Some systems will timeout the connection attempt.

I'm a little confused here, what is an ident connection?  After looking
through /etc/services and /etc/protocols, my best guess was you meant the
auth port, 113.  Is this what you meant?

> You may also want to reject packets from IP addresses you own and from
> the private IP addresses that aren't arriving on appropriate interfaces,
> and anything going out of your network that doesn't have the IP address 
> of the masquerading host.  The -i option is useful for this.

I don't actually own any IP addresses, as far as I know.  You're right
about things arriving on the wrong interface, I'll have to take care of
that.  I think it's going to significantly increase the number of rules,
so I'll wait until I have these right before adding more.

How would I prevent things going out that don't have the IP address of the
masquerading host since it gets a different IP address on ppp0 every time
it connects?  Can I get away with using "localhost"?  I'm sure I don't
want outgoing packets to have the IP address of eth0!

> > > 4. Are the SMTP and POP3 ports as secure as possible while still
> > >    allowing fetchmail and sendmail to work?
> 
> > maybe you could specify the source/destination for this rule.
> 
> Instead of allowing all traffic in both directions, you could allow
> only the correct side of the connection to initiate a connection (look
> at the -y option for this).

Would something like this work?

# allow me to use fetchmail
ipchains -A input  -d localhost 110 -s pop3.isp.com 110 ! -y -j ACCEPT
ipchains -A output -s localhost 110 -d pop3.isp.com 110 -j ACCEPT

# allow outgoing SMTP
ipchains -A input  -d localhost 25 -s smtp.isp.com 25 ! -y -j ACCEPT
ipchains -A output -s localhost 25 -d smtp.isp.com 25 -j ACCEPT

I'm especially sensitive about e-mail, as I am the only one here who has
an e-mail address.  I can't block all SMTP, or I wouldn't be able to send. 
I am trying to avoid letting any of the other computers on the LAN send
mail at all, because it would probably look like it was coming from me
since they don't have any e-mail addresses. 

> For this (and POP, which I've managed to delete) you also want to accept
> incoming packets.

That's not the only mistake I made on SMTP and POP, I also meant to
specify the source/dest.

> > > # allow communication with my ISP's proxy
> > > ipchains -A input  -p 3128 -j ACCEPT
> > > ipchains -A output -p 3128 -j ACCEPT
> 
> Similarly, you could control who gets to connect which way.

How's this?

ipchains -A input  -s proxy.isp.com 3128 ! -y -j ACCEPT
ipchains -A output -d proxy.isp.com 3128 -j ACCEPT

Thanks,
Patrick

Reply to:

Follow-Ups:
- Re: ipchains firewalling question
  - From: Mark Brown <broonie@tardis.ed.ac.uk>

References:
- Re: ipchains firewalling question
  - From: Mark Brown <broonie@tardis.ed.ac.uk>

Prev by Date: Re: Netscape (wishlist/ buglist & such)
Next by Date: Re: ipchains firewalling question
Previous by thread: Re: ipchains firewalling question
Next by thread: Re: ipchains firewalling question
Index(es):
- Date
- Thread