Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] DHCPv6-PD request
On 05/26/2016 08:24 AM, Per Jessen wrote:
Anton Aylward wrote:

IF AND ONLY IF the NAT port forwarding *ALSO* has all the filtering

NAT port forwarding is typically a single 'iptables' entry, nothing
more. It isn't a <something> with anything extra, any more filtering,
it's just a directive: "send requests on port 80 on external IP to port
NN on internal IP".

Yes, that is exactly my point.
Its just that whether your NAT is a low end consumer Linksys device from
Best Buy or a homebrew PC running some NAT'ing firewall on top of Linux
(BTDT both ways).


This is for my sons Minecraft server:

iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 25565 --j DNAT --to
192.168.11.221

one would expect of a firewall for that services (AV, email black
hole, 'content inspection' and a pile of other things) then OK.

I wouldn't expect any of that in a standard ADSL or FTTH box. Not at
all - we're talking about a firewall on a router, nothing else. Well,
that's what I'm talking about it.

I wouldn't expect content filtering etc etc on a .... see above ... either.

That's my point.

And there are going to be a number of crafted attack modes to any 'open
port for a server.

That I can't think of any specific examples means nothing. I'm not a
malicious hacker, I'm not a member of Anonymous, I'm not even a 'script
kiddie'. I DO know that the 'think like a hacker in order to defend'
is a flawed argument'. It assumes you're only defended against specific
and specifically motivated attacks. Defence can be systematic.

But I've not seen a NAT'ing device that that does. None of the ones I
have or have installed or dealt with in a
casual-for-friends-and-relatives or
professional or semi-professional capacity have, but I can't claim to
have dealt with every last device and every last software revision in
the whole wide world.

Professional equipment such as Fortigate, Sonicwall and Astaro (and many
others), all come with all or some of that, but unless you're a small
business, you probably don't want to bother with one of those.

Actually, IIR, IpTables has the ability to do packet inspection.
IIR it has the ability to hand the packet off to a user process for
inspections, but that !EXPENSIVE!. Its expensive in the professional
$mega dedicated firewalls you mention and others.

But lets face it; Iptables can ALSO deal with other nasty things like
packet fragmentation attacks, buffer over-run attacks.

The thing is that most OTS (see above) NAT devices don't allow you set
that up and even the shareware firewalls like IPCop don't have an option
(or the version I've installed doesn't) (maybe the alter or the IPv6
version does have a plugin that does) for some of this nasty stuff.
Even if Iptables COULD deal with it.

I'm sure there's a HOW-TO about all this, I'm sure I've seen one but if
I bookmarked it I can't find it in my list right now.

My point is that since OTS NAT devices don't do all this proactive
'firewall' things, and that applies just as much to established
connections as the Mitnick-Shimomura hijacking demonstrated, something
that the people who think that NAT is an adequate protection because it
prevents unsolicited initiated incoming connections
<strike>often</strike> usually forget, you DO need the proper firewall.
Its why 'host level firewalls' are coming in. Its also why they are of
limited use, since end users don't know how to configure them. its why
'smart assistants' than can configure them are coming next!


Hmmm
http://www.symantec.com/connect/articles/iptables-linux-firewall-packet-string-matching-support

http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
Whether allowing smtp/imap outgoing to only a specific ISP from your
host is useful I'm not sure, but there you are.
Preventing DoS is more relevant.

About a 'stateful' firewall with IpTables ...
https://wiki.archlinux.org/index.php/simple_stateful_firewall

https://evilshit.wordpress.com/2013/12/17/how-to-set-up-a-stateful-firewall-with-iptables/

Since some things, P2P, can run over http, port blocking is not adequate
and content filtering or "layer 7" filtering is needed.
http://l7-filter.sourceforge.net/




--
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups