Block connection in firewall -

Rick Stevens ricks at alldigital.com
Fri Feb 12 21:34:33 UTC 2016 

On 02/12/2016 01:01 PM, Joe Zeff wrote:
> On 02/12/2016 12:47 PM, Bob Goodwin wrote:
>> Ok, I'll try adding that. Joe brings up the need to keep a route open to
>> NTP, that presents another concern.
>
> Either that, or set up a local NTP server on a box that's not blocked.
> Let that box sync to the rest of the net and have your LAN all sync to it.

Carrying that further, set up the firewall to block all incoming traffic
initially and use "DROP" as the target--NOT "REJECT". The reason to use
DROP is that "REJECT" actually returns a response to a probe which
essentially says "Yeah, there's a machine here, but I'm not interested
in you". That makes you a target for DDOS or script-kiddie break-in
attempts. "DROP" just drops the packets with no response so your machine
appears to not be there at all.

Next, create a utility/bastion box (a virtual machine works well) that
will act as your LAN's DNS server, NTP server, web proxy, etc. and make
sure all of your machines on the LAN use that (e.g. modify their DNS 
resolver files, NTP configurations, web proxy aliases, etc.)

Now go back and put "holes" in the firewall that permit incoming
Internet data to the bastion host ONLY. Limit these by specifying ONLY
the specific protocols and ports you need along and include the 
conntrack module in each rule.

The conntrack module will only permit incoming traffic associated with
a locally-initiated session. By doing this stuff, only the bastion box
is visible in any way from the Internet and the only incoming traffic
permitted essentially has to be in response to a "query" made by the
bastion.

This is the way we do it for our critical internal networks. The only
exception is that we permit incoming ssh to our bastion boxes to get to
other machines on that LAN, but you have to be on an IPSEC VPN with a
two-factor authentication to do it.

The primary downside to all of this is that your LAN is now very
isolated. If you want to browse the net from a machine on the LAN, for
instance, you have to use the bastion's web proxy mechanism. For home
LANs with little kids, this can be a good thing as you can put
restrictions on the web proxy regarding which sites they can visit,
specific times they're allowed to do that, traffic limits, etc.

Security can be a right bastard at times--which is why network security
professionals get paid the big bucks! I have to help look after a PCI-
compliant network so I've been down this road many times.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-    I'm telling you that the kernel is stable not because it's a    -
-    kernel, but because I refuse to listen to arguments like this.  -
-                                              -- Linus Torvalds     -
----------------------------------------------------------------------

More information about the users mailing list