iptables SECURITY - default settings

[Douglas Furlong]

On Fri, 2004-09-17 at 01:03, Ted Kaczmarek wrote:
> On Thu, 2004-09-16 at 19:36, Jack Bowling wrote:
> > On Thu, Sep 09, 2004 at 11:34:29PM +0200, Alexander Dalloz wrote:
> > > Am Do, den 09.09.2004 schrieb Wal um 23:04:
> > > 
> > > > I am suggesting a more secure default setting-
> > > 
> > > > -I SecLev505-INPUT -p all -j DROP
> > > 
> > > > Alternately (with possible issue when rules actually get applied)-
> > > 
> > > > -A SecLev505-INPUT -p all -j DROP
> > > 
> > > I would heavily dislike a default DROP rule setup with iptables. There
> > > is a long discussion about DROP versus REJECT in the firewall forums,
> > > and I follow the arguments for REJECTing. One reason which affects users
> > > of Fedora: a DROP policy / default rule makes it much harder for anyone
> > > and especially less experienced users to down track problems cause by
> > > firewalling with no real gain on the other side. It is and stays a myth
> > > that DROPing pakets makes a system invisible for attackers (buzzword
> > > "stealth mode" in PFW products). For the majority of users a feedback in
> > > form of an ICMP port unreachable is most useful.
> > 
> > Your argument in favor of REJECT falls apart in a DDoS situation. Having
> > the kernel drop packets rather than fire off REJECT messages in response to
> > every packet is much more efficient.
> > 
> > -- 
> > Jack Bowling
> > mailto: jbinpg at shaw.ca
> 
> 
> Generating reject's would consume much more resources than dropping the
> packets.
> 
> What "firewall" forum's are you looking at? 
> 
> I know many firewall professionals and not one of them prefers to send
> and unreachable if they don't have to.
I was under the impression that the most appropriate place to use a
reject packet was in relation to I believe Sendmail. Where just dropping
the packet would cause a mail system to just continually try to resend
the packet instead of acknowledging that the information that it has
relating to a host is wrong, and that it should stop.

Other then that, and I'm sure some other equally specific situations
dropping a packet is preferred. Not due to "stealth" or any thing like
that, just because it is less network/process intensive.

The majority of problems that people face are due not to firewall
limitations preventing outbound traffic, but limitations preventing
inbound and "related" inbound traffic (not necessarily established, and
other buz words, I'm talking from a purely, emotional/ task related
perspective). In which case, rejected messages are unlikly going to be
of much use, if they are unable to track down the problem using log and
other monitoring techniques, then they are unlikly going to be able to
talk to a friend and get them to relate back the rejected/dropped
messages either.

Well just my two pennies(I wonder when I'll be using the cent (euro, not
$!)) worth.

-- 
Douglas Furlong
Systems Administrator
Firebox.com
T: 0870 420 4475	F: 0870 220 2178
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20040917/28c8f44a/attachment.bin