Security Rant (was Re: ipchains issue (Re: Webmin via Apache))

George Toft plug-discuss@lists.plug.phoenix.az.us
Tue, 25 Jun 2002 22:12:35 -0400 

George's $0.02.

In the area of running boxes inside a network (LAN) that has a firewall
protecting them from the bad Internet, I am at odds with some
corporations, who shall remain nameless.  I feel every box on the
network should be able to stand on its own without the firewall (at
least for a few hours).  This provides redundancy - if the main firewall
fails or is compromised, you have one more layer of protection.  Look at
it like a bank - do you think they use just one lock to keep the bad
guys out?

Yes, I practice what I preach - my workstation runs a firewall just as
strong as my dedicated hardware firewall.  That way, if I goober up the
hardware firewall, I'm not left naked with my arse hanging out.

So running ipchains on an internal box is not a bad thing - just make
sure you know why you are doing it.

George
Paranoid at Large


Craig White wrote:
> 
> Assuming that this is a single NIC on a server on the internal lan and
> you have no idea what you want a firewall to be doing on this computer
> anyway...why don't you just turn it off?
> 
> service ipchains off
> 
> chkconfig --levels 2345 ipchains off
> 
> Otherwise,
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $UNIVERSE -d
> $EXTIP 10000
> 
> replace port & variables as necessary but I have to tell you that what
> you have in place for ipchains is pretty minimal and you shouldn't feel
> as though anything is secure on that system because you have an ipchains
> firewall running on it.
> 
> Craig
> 
> On Tue, 2002-06-25 at 17:49, alandd@mindspring.com wrote:
> > OK, this is looking like a firewall (ie. ipchains) setting issue.  I will have
> > to go learn how to do ipchains, and without a GUI since I didn't put it on
> > this box!
> >
> > The output of "ipchains -L" gives:
> >
> > Chain input (policy ACCEPT):
> > target     prot opt     source                destination           ports
> > ACCEPT     udp  ------  192.168.200.1        anywhere              domain ->
> > 1025:65535
> > ACCEPT     tcp  -y----  anywhere             anywhere              any ->
> > http
> > ACCEPT     tcp  -y----  anywhere             anywhere              any ->
> > ssh
> > ACCEPT     udp  ------  anywhere             anywhere
> > bootps:bootpc ->   bootps:bootpc
> > ACCEPT     udp  ------  anywhere             anywhere
> > bootps:bootpc ->   bootps:bootpc
> > ACCEPT     all  ------  anywhere             anywhere              n/a
> > REJECT     tcp  -y----  anywhere             anywhere              any ->
> > any
> > REJECT     udp  ------  anywhere             anywhere              any ->
> > any
> > Chain forward (policy ACCEPT):
> > Chain output (policy ACCEPT):
> >
> > What line to I need to allow Webmin miniserv.pl to listen for https
> > connections on eth0?  Where do I put said line?
> >
> > Mean while, I'll go read the manuals...
> >
> > Alan
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss