[oclug] Stealth

Robert Brockway robert at timetraveller.org
Mon Oct 14 20:55:41 EDT 2002 

On 12 Oct 2002, GR Gaudreau wrote:

> > Invisible is a strong word :)
>
> [gr]   True, but it wasn't mine, it was what the poster on
> alt.os.linux/mandrake claimed.

Yeah, I figured :)

> > Interesting idea if no one _ever_ had to establish a tcp connection to
> > you.
>
> [gr]   When you say none can establish a tcp connection to me, are you
> talking about people trying to get into my system, or websites that I
> connect to fro my box? I'm not running any services, so why would they
> want to connect with me, other than a website I call from my box?

If you're never running any services it is fine to have this line in the
firewall rules.  Services you may wish to run include: ssh in to your box
from outside, and boxes on the inside connecting to your box (eg, to treat
it as a mail server).

You can find this line to a particular interface only, so that localhost,
and any boxes on the inside (yeah I know you don't have any yet ;) can
connect ok.

> > If your box was stand alone (it did not route at all) and you never, ever
> > wanted to get an inbound tcp connection, then this seems sound.  You would
> > probably want to limit it to only certain interfaces or you'll have
> > problems with localhost.
>
> [gr]  What problems?

Many services assume they can connect to localhost.  Not having it present
can cause problems like mail not working, news not working, etc, etc.
It'd be like dropping the lo interface, which is similarly a bad thing.

> [gr]  Is there an advantage to tying these down? If not, then it's not
> worth doing it, right?

It's always worth tying stuff down :)

Here is what I have for icmp right now:

# Allow these ICMP types back in
ICMPALLOW="0 3 4 5 6 9 10 11 12 15 16 30 31 32 35 36"

# Allow these icmp types
for I in $ICMPALLOW
do
        iptables -A ICMP -p icmp --icmp-type $I -j ACCEPT
done

As can be seen, this is in the "ICMP" chain but you could do it in any
chain you like.  I have my INPUT & FORWARD chain feed to a FIREWALL chain,
where I then split it off as appropriate to different chains.  The
extensive use of chains decreases the number of rule parses required for a
given packet and means each given rule needs on;y have certain parameters
set.  The rule above will only be hit by things entering my external
network interface.

Cheers,
	-Rob

-- Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
   Linux counter project ID #16440 (http://counter.li.org)
   "The earth is but one country and mankind its citizens" -Baha'u'llah

More information about the OCLUG mailing list