Quote:
Originally posted by Proud
I fail to see your point. Either you do not wish for some programs to start outbound connections, in which case configure them not to
|
without a firewall, how would you configure network access for a (possibly evil) program that isn't currently installed on your system??
Quote:
or you do wish them to start connections in which case you'd set your firewall to allow them anyway
|
yes, but ONLY them... by not using the firewall you are essentially allowing everything to go through, whether or not it's traffic that you consider neccesary for your box's purpose...
without a firewall you have no centralized way of limiting network access for programs, and
no way at all to limit ones that aren't installed on your system at the current time... this includes SPYWARE and TROJANS...
here's some simple/stupid
examples of what i mean:
INCOMING: let's say you have apache and vsftpd running on your box... so using your method, you'd make sure that those two are the only daemons running... you scan your box and you make sure every port except 21/tcp and 80/tcp is
closed... okay... so here comes regular user joe and he logs-into the box to work, but he's bored (or whatever) and so with a couple mouse clicks he installs a proxy server on your box (either on purpose or by accident - that's beside the point) and has it listening on 3128/tcp... see how easy that was?? he didn't have to do anything else (not even become root) and HE had a daemon listening on YOUR box (>1024/tcp)... so now you have your firewall-less box not only doing web and ftp, but also doing who knows what kinda proxying for who knows who... the bandwidth-stealing possibilities for the script kiddies will be endless... in no time your box could be serving-up kiddie pr0n to the web and hosting a mirror for some script kiddie's customized knoppix cd... if you would have had a simple firewall (allowing only 80/tcp and 21/tcp), something as simple as:
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT
then even though your web and ftp servers would be able to listen on the network, user joe
wouldn't have been able to make his proxy or trojan or whatever listen on the network (unless he would find a way to gain superuser powers and alter the firewall's rules)...
OUTGOING: let's say it's the box you installed for grandma... she just uses it (for example) to surf webmd.com and to check hotmail.com... the thing is one day she gets an evil executable in her mailbox... of course grandma doesn't even know what an executable is... well she clicks the bastard and guess what, an ftp session is initiated with some script kiddie's ftp server and all of grandma's documents are uploaded to it... so now grandma's privacy has been completely obliterated - all because you didn't wanna install a firewall for her... of course this is obvioulsy just a ridiculous example (just enough to make a point), but since she
only used webmd.com and hotmail.com you could have easily used a firewall to restrict outgoing traffic to 80/tcp and 443/tcp, which would have prevented the evil executable from starting an ftp session and sending grandma's docs over the internet:
Code:
iptables -P OUPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p TCP --dport 443 -m state --state NEW -j ACCEPT
or if was a NAT firewall on a LAN it might look something like:
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 --dport 443 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o eth0 -j MASQUERADE
with those simple rules above i could also give a port-scan example... like, without a firewall any user could start port-scanning someone's server from your IP... they could sit there and portscan
nsa.gov all day without your consent, for example... and the firewall logs at
nsa.gov will show YOUR IP as the source of the scans... so when you come back home from work you find the men in black taking your computer away and your son/daughter is like "ummm... sorry dad..."... if you would have used the simple/stupid firewall rules above your son/daughter's port-scan
would have never worked - even though they would still have been able to surf the web in peace...