Thanks for the help. I utilized your ideas and ran nmap and
nothing comes up (I did this from the same host, though). My
logs dropped to nil activity after implementing a combo of the
techniques you three mentioned (also, is it a bad thing if my
logs aren't writing anything now, or is it that my ports can't
be "seen"?). Interestingly (to me), ports 0 and 1 come up as
closed (from grc.com, I assume because of the set limits that
make my firewall "adaptive").
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> You can omit the last one if you're not forwarding packets.
Only a small minority of people use the forward chain, right? I
read somewhere that not even ISPs use port forwarding
(relaying?).
> Why are you ACCEPTing traffic based on the source address? For new
> outbound connections you should ACCEPT based on destination and state
> NEW, for everything else, you should use an ESTABLISHED,RELATED rule
> just like you do in the INPUT chain.
Currently, I have OUTPUT accepting NEW,ESTABLISHED,RELATED. If
I'm thinking right about what you said Ansgar, the only thing I
need to worry about in OUTPUT is NEW, so I'm about to change it
and see what happens.
>
> Repeating myself: "stealth" is braindead marketing babble invented by
> people who failed to understand TCP/IP for people who fail to understand
> TCP/IP. Your host doesn't magically become "invisible" just because it
> drops packets. TCP/IP doesn't work that way.
Then why does the site http://www.grc.com keep referring to
ports as being under stealth? Are they defining "stealth" in a
different way? What does one have to gain by propogating this
"marketing babble"?
> Besides, you shouldn't be dropping echo-request and time-exceeded. ICMP
> is a vital part of IP and required e.g. for troubleshooting connection
> problems. Rather do something like this:
>
> iptables -N icmp_packets
> # Allow ping, but limit it to 10 requests per second:
> iptables -A icmp_packets -p icmp --icmp-type echo-request \
> -m state --state NEW -m limit --limit 10/sec -j ACCEPT
> # Allow echo replies (pong) for accepted pings:
> iptables -A icmp_packets -p icmp --icmp-type echo-reply \
> -m state --state ESTABLISHED -j ACCEPT
> # Allow troubleshooting messages for all established connections:
[...]
> iptables -A icmp_packets -p icmp --icmp-type parameter-problem \
> -m state --state RELATED -j ACCEPT
> iptables -A icmp_packets -j DROP
>
Thanks for this (above).
> I'd also recommend to REJECT packets rather than simply DROP them, so I
> usually define a DENY chain and put it at the end of the INPUT, OUTPUT
> and FORWARD chains:
>
> iptables -N DENY
> iptables -A DENY -p tcp -m limit --limit 10/sec -j REJECT \
> --reject-with tcp-reset
> iptables -A DENY -p udp -m limit --limit 10/sec -j REJECT \
> --reject-with icmp-port-unreachable
> iptables -A DENY -j DROP
Thanks again.
--
Telly Williams
"Knowledge Is Power"
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment