Border protection for Fedora

[Bruno Wolff III]

On Sun, Dec 12, 2010 at 05:30:23 -0800,
  S Mathias <smathias1972 at yahoo.com> wrote:
> I have a small, simple firewall "script": http://pastebin.com/raw.php?i=NChRyqVu
> 
> Can I ask the mailing list, that look at it for a few moments, and sort out the: 
> 
>  - unnecessary things in it [if it contains any, like are there solutions for write multiple destination ip's in one line?]
>  - missing thing, that could be in a firewall, to make it _SAFER/BETTER_!
> 
> TODO's/Q's [please help!]: 
> 1) where do i have to put the "iptables-restore FROMTHEFILE" command [to set the firewall when e.g.: booting the pc] on Fedora?

What I usually do is set up the firewall with iptables and then run "service iptables save".

> 2) what is the best application firewall under linux? [links for good howtos?]

I like iptables. But it's hard to say what is best for you because you haven't listed any requirements.

> 3) do i need a proxy? [i can guess that, that the http proxy on localhost can filter the http, but what's with https? it's end-to-end encrypted :O]

It's hard to say. What are you trying to do? Are you referring to an inbound or outbound proxy? Are you looking at setting
up and outbound proxy for your whole network?

> 4) can i do something with the: "$IPTABLES -A INPUT -p tcp --dport 20000 -j ACCEPT" - i'm seeding distros on torrent, but are there any plus "options" to e.g.: only allow torrent traffic on port 20000/input?

You would need some way to distinguish torrent traffic from other traffic. What are you trying to accomplish (at a higher
level)?

> 5) on line 68: "$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" - when i put a "-p tcp" in it, it makes "funny" things - when i reopen my webbrowser, i "can't surf the net", so i can't put the "-p tcp" in it? :( - just to ensure only tcp comes IN. [why would i need anything else?? only OUTPUT udp needed, no? :O + icmp ping output..]

In general you don't want to limited related traffic to just TCP. ICMP packets can have important information about
your connection (including needing to fragment packets and congestion information). Also if you don't have some other
rule that lets UDP traffic through, DNS isn't going to work. (Which is probably your problem.)

> 6) "is it safer", if i use a local dns cache? like "dnsmasq"? 

I like to use local caching resolver as ISPs do goofy things with their DNS. Just running a local cache is more for
performance than security.

> 7) what does exactly "--state ESTABLISHED,RELATED" mean? why do i have to write this to the start of my firewall script?

It implies a few rules that are hard to otherwise express in iptables. Then general idea is that if you make a connection
(especially outbound) that traffic associated with that connection will be accepted. While UDP doesn't really have
connections a psuedo connection is established allowing UDP replies for a short time from a location that you sent
a UDP packet to.

> 8) how could i block packets from: destinatio ip 255.255.255.255?? "$IPTABLES -A INPUT -d 255.255.255.255 -j DROP" to the start of my script DOESN'T help :O i used wireshark to get this info.. the broadcast package was my routeros router.

You should be able to drop these packaets using the above rule. Why do you think they weren't being dropped? The packets
will still hit your network interface some some traffic snooping will still see them.