Hi list,
I have seen "iptables and ip6tables" section of rhel6-guide.html recently and I have concerns about few recommendation.
example: "Set Default iptables Policy for Incoming Packets" ---- To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. ---
This ^^^ is doable but it won't have any real effect since the last rule of a built-in INPUT chain is REJECT. Default DROP policy won't be applied.
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Please note I'm not a firewall expert, I just want to raise awareness. Maybe I miss some important fact.
Peter.
I believe this can be classified under the "defense in depth" category. You are correct in saying that in theory nothing should ever be denied from this setting. However, the security rule of thumb is that all things should be denied unless they are explicitly allowed and that can be handled multiple ways.
I have seen cases where a table is flushed (intentionally and accidentally) and the default DENY in that chain is what keeps the system in a secure state. This actually has a two-fold effect:
1) Without that default deny the system would be open to all traffic. 2) This will put the system into a state where no traffic will be accepted and you can guarantee this will be noticed quickly. Then you can step in and fix the "real" problem (why were the rules flushed).
There can be an argument that verifying the last "deny all" rule is an issue of configuration management, but in the end a proactive approach is better than a reactive approach.
Just my opinion...
Thanks, Chad Truhn
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Peter Vrabec Sent: Tuesday, June 25, 2013 11:46 AM To: scap-security-guide@lists.fedorahosted.org Subject: iptables
Hi list,
I have seen "iptables and ip6tables" section of rhel6-guide.html recently and I have concerns about few recommendation.
example: "Set Default iptables Policy for Incoming Packets" ---- To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. ---
This ^^^ is doable but it won't have any real effect since the last rule of a built-in INPUT chain is REJECT. Default DROP policy won't be applied.
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Please note I'm not a firewall expert, I just want to raise awareness. Maybe I miss some important fact.
Peter.
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Peter Vrabec -
Truhn, Chad M CTR NSWCDD, CXA30