Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Loading firewall script on boot time
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Thu, 31 Jul 2003 08:41:43 +0200
  • Message-id: <84ECB0B9D002A54EA3E926AAA94E580801911A@xxxxxxxxxxxxxx>
I do not want to continue this debate endlessly, but make my final
comments:
- as mentioned before, activating the YaST Firewall resulted in unwanted
results. Firstly, it would only accept incoming services request if you
either had them running on the FW Machine or running a DMZ. Neiter was
true in my case.
- second: by implementing forwarding with Firwall (masqueraded or not)
if was always able to break in on those high ports, used for passive FTP
- an third: due to this i was forced to do something else.

My final script will only allow HTTP in both directions and FTP outbound
with Data Connection (RELATED). Nothing more. Nothing less. And yes, i
did probe the ruleset with port scanners.

I do agree, that if you have a standard "world" (i.e. Outside - Bad
World, Inside - LAN and maybe even DMZ) then there's no point in
"reinventing the wheel". But specifications was not standard, at was not
subject to change.

And finaly: i am a Linux newbie allright, but no computer/security
newbie. I never take things for granted, like "oh well, my script runs
fine when i start it manually, and it is named xy_firewall i guess the
system knows that this must be loaded at boot time too. I don't bother
testing after boot time however. Port Scan the system? Why should I? I
know it works. Sign here, and good bye."

Have a nice day
KE

-----Original Message-----
From: Andy Bennett [mailto:andy@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, July 30, 2003 6:55 PM
To: lars
Cc: suse-security@xxxxxxxx
Subject: Re: AW: [suse-security] Loading firewall script on boot time


Whilst I accept that it is a requirement of a secure system that the
person
configuring it understands how it works I hope that you're not seriously

suggesting that a greater level of security is achieved by having to
recreate
every single aspect of a secure system rather than using some of the
tools,
where appropriate, that are readily available?

That isn't true, is it.

How secure would Knut have been if he hadn't realised that his firewal
script
wasn't loading when his machine started up?

Having said that the exercise has been worthwhile in that he has gained
a
greater understanding of his system.

The only thing I would add is that he needs to run an external scan of
his
system to make sure it's as closed as he thinks.

Andy

< Previous Next >
This Thread
  • No further messages