Firewalls

[szymi]

Hi, this is not exactly a question I would ask on a forum like this one, but nevertheless I will ask it. I had an argument with someone about firewalls and would like to collect some arguments supporting my view. The person I was talking to said that if you are not running services listening on given ports (say SMTP on port 25), you don't have to block these ports on your firewall. In other words, if your commuter did not have any services running, you would not need a firewall at all. I don't think that is true, but how do I suppor my view? My argumen was that if someone installed a virus listening on a port, say on port 25, my server could be vulnerable to an atttack. But the guy I was arguing with said, that it would have to be myself installing the virus - because viruses don't install "themselves" in Linux as they do in Windows. OK, but there must be other reasons to using firewalls, supporting my view. Are there any kind experienced network adminisrators out there who would like to give me some more examples showing why a firewall blocking a prot would be needed even if there was no service listening on that port?

[blinky]

Port scanning using GRC ShieldsUP:

a) Port closed (iptables DROP) and No service on port : There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

b) Port open and No service on port: Your computer has responded that this port exists but is currently closed to connections.

and your friend's statement that it would have to be myself installing the virus - because viruses don't install "themselves" in Linux as they do in Windows is correct.

I tend/prefer to block (DROP) unrequired ports, as it does no harm.

[bills]

I don't think there is any need to block the port if there isnt any service running on it but obviously you can block the attacker to execute any script from /tmp who might use some port for running in your server which definately help in case that port is blocked.

[CmdoColin]

Shut everything, and only allow what you want through. That's how anyone running a commercial firewall will approach it.

Sure if you know exactly what ports and services you've got running, that's great. But are you are really sure you shut down that temporary ftp server you needed to quickly use at 2am? Human error happens - plan for it.

Just because you are using Linux shouldn't make you lazy on the security front. Some of the most insecure OS's are the straight out of the box Linux distro's that by default every service is running straight after an install.

[rashid47010]

Here I am writing down my OUTPUT after giving the
iptables -L command

actually I want that specific MAC bypass the proxy(no need to give the proxy settings ) while other should

Reply plz

# Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:530]
:POSTROUTING ACCEPT [1:530]
COMMIT
# Completed on Mon Aug 3 16:45:14 2009
# Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
*nat
:PREROUTING ACCEPT [193209:14311642]
:POSTROUTING ACCEPT [43633:2704702]
:OUTPUT ACCEPT [87176:5364648]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Aug 3 16:45:14 2009
# Generated by iptables-save v1.3.8 on Mon Aug 3 16:45:14 2009
*filter
:INPUT ACCEPT [3221343:1745521322]
:FORWARD ACCEPT [322005:107816168]
:OUTPUT ACCEPT [3113558:1634101429]
-A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
-A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
-A INPUT -i eth0 -m mac --mac-source 00:15:B7:33:6A:57 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1863 -j DROP
-A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
-A FORWARD -d 207.46.104.20 -j DROP
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1863 -j DROP
-A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
-A FORWARD -d 207.46.104.20 -j DROP
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1863 -j DROP
-A FORWARD -d 207.46.110.0/255.255.255.128 -j DROP
-A FORWARD -d 207.46.104.20 -j DROP
COMMIT
# Completed on Mon Aug 3 16:45:14 2009

[coopstah13]

You should start your own thread, rather than hijack someone else's that was started for a different reason entirely.

[rashid47010]

when I try to start new thread he gives me below mentioned error:

"
You are only allowed to post URLs to other sites after you have made 15 posts or more.
"

[coopstah13]

so then remove any url in your post or signature