Is my computer safe enough if I use just iptables?
VJ
vj at vijaygill.homelinux.net
Fri Oct 15 13:40:28 UTC 2004
Scot,
Thanks a lot for your advice. I am now thinking whether I should go for
some boxed firewall or not. I used to think Linux was secure enough. I
have my IPtables DROP by default and just opening the required holes
(HTTP and SMTP) to let these services be used from outside world. I do
not let my family login as root. Only I am the boss of the machine. The
only reason I got a bit worried was that I am using this machine as my
development/tinkering/playing(MythTV etc) machine + FIREWALL, with other
machine (XP) being used by my wife.
I have tested my firewall using Sygate's online Firewall test and also
the same from Symantec. Both seemed to say my system was OK but then
suggested their own firewall software (which I dismissed as a sale
gimmick).
I am still a bit confused, so I will do more research.
Regards from
VJ
On Fri, October 15, 2004 2:08 pm, Scot L. Harris said:
> On Fri, 2004-10-15 at 07:32, VJ wrote:
>> Hi,
>> I have firewall script using iptables which runs from
>> /etc/rc.d/rc.local. This script does nothing except allowing just http,
>> smtp for outer world(inbound). All type of connections are allowed from
>> the machine to the outerworld (outbound). I have not set anything else
>> like in hosts.deny/hosts.allow or sshd.conf.
>> My question is, according to your knowledge, is my computer safe
>> enough?
>> Till now I have not suffered from any proble, but this cannot go on
>> for-ever.
>
> I don't know that anyone can judge if your system is "safe enough". A
> lot of that depends on how much risk you are willing to take with your
> system. I guess if you provide your IP address there would be a lot of
> people willing to scan and try to hack your system for you, but I don't
> think you really want to invite that kind of attention. :)
>
> For home users I always recommend using one of those cheap hardware
> firewalls between your systems and the Internet. I know they are not
> perfect but they are simple and easy to use. I recommend this as they
> are cheap and easy to setup and once in place you don't really have to
> worry about them. If you have your system directly connected then at
> some point you may do something which stops iptables and could expose a
> whole slew of ports and services to the Internet which may or may not
> have vulnerabilities. Particularly if you did not go through your
> system and disable all unused services.
>
> In the real world where you have regular firewalls in place most
> companies not only block most things from coming into their network but
> also block most things going out of their network. This prevents a lot
> of trojans from connecting to their master servers from inside the
> firewall (although a lot of stuff tries to use port 80 and other similar
> ports for services that are normally allowed to exit your LAN, but then
> you can use proxies to handle some of that).
>
> So it really comes down to a risk assessment that you have to do based
> on your requirements. Remember, there is nothing 100% secure that is
> connected to the Internet. You have to put enough security on your
> system so that the vast majority of hackers don't find your system
> easier to hack than someone else's system. If you can achieve that then
> you are probably secure enough.
>
> Kind of like the two guys who stumble on a tiger in the woods. The
> first guy bends down and starts to change into tennis shoes. The other
> guy says "Don't you think you better be trying to out run the tiger?"
> The first guy says, "Don't have to, I just have to out run you."
>
>
> --
> Scot L. Harris
> webid at cfl.rr.com
>
> Go climb a gravity well!
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list