Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tlug] iptables - Tools for easy configuration



Message: 1
Date: Mon, 02 Jul 2007 21:27:30 +0900
From: "Stephen J. Turnbull" <stephen@example.com>
Subject: [tlug] iptables - Tools for easy configuration
To: Tokyo Linux Users Group <tlug@example.com>
Message-ID: <87abufyor1.fsf@example.com>
Content-Type: text/plain; charset=us-ascii

Amy & Don Johnson writes:
> If someone is willing to do a talk about iptables, I would like to hear > specifics about setting up *outbound* chains in the filter table. There > is a lot on the web about setting up inbound rules, but I haven't found > anything good about setting up outbound rules.

Why would you want to do that?  Keep your kids off IRC and pr0n sites?
(Honest question; such rule sets will be really application-specific.)

As to why you won't find much on this ....  Thing is, in general you
trust the people *inside* the firewall.  To the extent that you don't
trust them you're generally more interested in content filters, eg
spam filters in case one of the PCs on your net gets zombified.
Because of course you do want people to be able to send legit mail!

Of course, you can limit your kids' PCs to the Disney site and their
schools' home pages, but that will get tedious rapidly.  And in
general it's much harder to set up plausible rules for inside going
out than the other way around.  12 and 13 year olds can learn to set
up tunnels and proxies for their friends; you'll need to think about
much more complex rule sets to prevent that.


Here's why it might be wise to constrict outbound traffic as well as inbound:


1. marginal returns on time spent might be good - for a little effort adding outbound rules you might get better overall security. For example, I spent a lot of time getting my inbound rules to work. Right now, every packet leaves our computers/network with no restrictions and I have spent no effort on considering what should be allowed to leave. 2. I think "trust no one" is a better policy for people inside the firewall than "trust everyone."
3. I remember reading a article a few months ago in Linux Journal who said having no outbound restrictions was bad policy. It would take me a little time to find the article if you wanted to know who wrote it. Anyway, my point is that there is at least one other person in the world who thinks time spent on creating outbound rules is not wasted.
4. My last (lame) argument is that everyone criticized Microsoft's first attempt at a firewall with service pack 2 on Windows XP because it only included outbound restrictions. So if we can criticize the evil empire for this "deficiency" maybe it really is a deficiency!


The applications we are currently using include nfs, samba, voip, ssh, mail, irc, vmware to run windows, ip printing, and of course, regular and ssl web browsing. I would like all of these applications to work after I added outbound restrictions. We are already using a spam filter, but no content filter on web access. Also, you are right about the zombified PCs, if this should happen to one of our machines, I think it would be good to make it more difficult for the malware to phone home.

Unfortunately, I can't make the tech meeting on the 14th because I have to help someone move, but if someone does give a talk about iptables and it includes info about outbound rules, I would like to get a copy of the notes, scripts, whatever. どうも

--Don


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links