Re: Contribution to Slitaz - firewall.conf

[ Thread Index | Date Index | More lists.tuxfamily.org/slitaz Archives ]


Hi Rohit,

Thanks for this push. I'm happy to have my first contribution accepted.

I'm not an expert in security, just an user who have learn some basics
knowledges about that. I know that accept input on port 80 is a security
hole, as explained in the link I've send :
http://olivieraj.free.fr/fr/linux/information/firewall/fw-03-07.html. With
this port open, anybody typing "nmap youre_ip -g 80" as root in his
terminal can scan you're ports. I'm not sure but I believe that port 80 can
be used to send false web pages and malicious code (ie java, flash, ...) to
someone. The firewall.conf I've send is supposed to avoid that. An other
problem : respond to all ping by default is not usefull for an user system
and I believe it can have bad consequences (line "iptables -A INPUT -i
$INTERFACE -p icmp -j ACCEPT"), but I havn't take the time to find a
pratical exemple.

I know that Slitaz have a good security for two reasons : there are no
daemon listen to internet by default, and it is often used as live, so even
if someone can do some malicious changes in the system, they will be
reseted in the next session. Overwhere, as user I prefer having a well
configured firewall. If you want to have a good default configuration for
users and for servers, I see 3 solutions :

1- Keep the actual configuration and whrite some docs about improving the
quality of the firewall. The fact is that not all users read theses things.
2- Add some questions in tazhw : do you want to have servers ports open ?
[Y/n] / Do you want to enable Ipv6 (Warning : Ipv6 is not filter by the
firewall) ? [Y/n]
3- Modify the daemon (i.e. apache, lighttpd, etc) to check the presence of
iptable and open the good port at start and close it when stopped. This is
the better solution in my opinion. The code to do that is :
At the end of thet start) section :

if lsmod | grep -q ip_tables; then
echo -n "Change iptables rule-set to accept new input on port ##... "
iptables -A INPUT -p tcp --destination-port ## -j ACCEPT 
status
fi

At the end of the stop) section :

if lsmod | grep -q ip_tables; then
echo -n "Change iptables rule-set to reject new input on port ##... "
iptables -D INPUT -p tcp --destination-port ## -j ACCEPT 
status
fi

Note that -p tcp can be -p udc in some case, and I don't take care to
specify a particular interface (it's not usefull in most cases). I think
this is better because it respect the rules : The default configuration is
the better for an user who don't know how to modify it, and it can be
easily modified by more advanced users. A post_installation script in
iptables should be added to enabled firewall when installed to perfectly
respect this.

About ipv6, I don't know why this module is loaded by default in Slitaz.
There's a package linux_ipv6, so I suppose that ipv6 should be loaded only
if this package is installed, wich is not the case. Is it normal ? The
other advantage of disabling ipv6 is a slighty gain of speed when browsing
on the web because the webbrowser always try to use ipv6 before ipv4 if
possible (actually using ipv6 is not implemented on most servers).

I let you give the final word, and as you can expect I'm ready to help for
eventual changes. I can write docs in french, and in english if someone can
correct typo.

I hope to send recipes for fotoxx, printoxx, ufraw and exiftools this day,
if I have no problems with my connection. Wich is the good format for
modified recipes ? An archive with entire recipe and stuff or a patch that
you can import with hg ?


Thank to take time about that,
Gokhlayeh.

On Fri, 12 Mar 2010 18:42:31 +0000, Rohit Joshi <rj.rohit@xxxxxxxxx> wrote:
> Hi Gokhlayeh,
> 
> I have tested your conf. Accepted the main changes you proposed.  Good
> work.
> 
> Pushed it to the wok : http://hg.slitaz.org/slitaz-tools/rev/71139fa09dca
> 
> Please see if the changes are fine.
> 
> I haven't commented out iptables rules for HTTP server and other
> servers like you have done. Slightly lenient but I think this can be
> easily commented out by any user. As for IPV6, you may like to create
> a wiki page and explain it. This may be very useful. What do you
> think?
> 
> Rohit

---
SliTaz GNU/Linux Mailing list - http://www.slitaz.org/


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/