Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iptables & tcp wrappers

from [TJ Easter] Network Security [Permanent Link]
Subject: Re: iptables & tcp wrappers
Date: Mon, 11 Oct 2004 14:15:28 -0400 
On Mon, 4 Oct 2004 00:06:35 +0200, Ansgar -59cobalt- Wiechers
<bugtraq@planetcobalt.net> wrote:

On 2004-09-28 TJ Easter wrote:

   I've found it quite helpful to create a shell script to load the
firewall rules.  The first line of the script blows away all rules
(iptables -F), then it proceeds to load the rules below that.


The first line(s) should define the default policy (most likely DROP),
before flushing the chains. Otherwise the box may be open until the
rules are defined.



Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin



Ansgar,
    The reason I chose to load allow rules, followed by an explicit
deny all as opposed to a deny policy is as for simplicity.  When you
issue "iptables -F" on the command line, you get the expected "allow
all" behavior instead of having to flush *and* reset the policy.

Unless you have a pretty hefty ruleset, the window of opportunity
would be very small.   I have since closed this window while still
keeping the expected "allow all" behavior when flushing the rules. 
The first rule is to set the policy to DROP, load all rules, then
after the explicit "deny all" rule, set the policy back to ACCEPT.

Again, the script is available at http://tje.ssllink.net/firewall.tar.gz .

Let me know if you find any issue with this behavior.

Regards,
TJ Easter

-- 
"Television is not an education."
http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: iptables & tcp wrappers, Whelan, Paul
Next by Date:  Idle session logout, Ben Nelson
Previous by Thread:  Re: iptables & tcp wrappers, Ansgar -59cobalt- Wiechers
Next by Thread:  RE: iptables & tcp wrappers, Whelan, Paul
Indexes:  [Date] [Thread] [Top] [All Lists]