Security Basics mailing list archives
Re: IPTables Based Firewall Testing
From: Christos Gioran <himicos () freemail gr>
Date: Thu, 18 Dec 2003 10:27:40 +0200
On Tuesday 16 December 2003 18:02, Gareth Darby wrote:
I was wondering what kind of processes would be involved in testing a firewall built around IPtables. How could you ensure that the rules are sufficient?
If it is buld correctly, then you have won more than half the battle. By correctly I mean the ever-faithful "what is not explicitly premitted is denied" rule. Define your needs in great detail and then all will become clear. Simple rules and clean, cut-out logic ensure a pretty safe firewall.
Is a simple port scan enough?
Short answer: No. (Longer follows) A simple external portscan will not do. It will simply confirm which ports are open and which are not, with regard to the IP from which you perform the scan. Say you scan your network from the external host notfriendly.com and happily see only port 80 of your web server to accept SYN packets. That does not ensure that port 25 does not allow packets from the external host icomeinpeace.net. Does "Idle scan" ring any bells? (man nmap if not). Moreover there is the problem of outbound connections. An external portscan will not reveal which hosts are allowed to make connections, i.e. act as servers. Maybe that is acceptable for your www server, but a trojaned machine that calls home (taking advantage of misconfigured firewalls) is probably not a good thing to have in your network. BTW, i assume "simple" does not imply connect()! A modest porrtscan should involve an extended range of ports, at least SYN scans, ping sweeps (although not portscans, they traditionally are mentioned in portscanning) and hopefully ACK scans and other customised packets. My advice (and practice)? Review your firewall rules carefully and make sure that ANYTHING unnecessary is dropped (or tarpitted, what best suites you). Take care to add non needed outbound connections to the "unnecessary" list. Obviously, SYN packets coming from servers are a sign of evil, so dropping and logging them is also a Very Good Idea (tm). Then portscan extensivelly, from any location you can, inside and out. By that time, you can be somewhat confident that your firewall is modestly tight. Just my $(no_value_worth_mentioning) himicos --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)