On Wed, Sep 29, 1999 at 04:31:05AM -0500, Francois Gurin wrote:
>
> Minimun hassle/inconvenience is mutually exclusive of minimum harm.
> Looking at the example set forth by some of the other distributions
> (and more than a few operating systems), the reduced hassle of
> installation and administration is traded for security (which I
> hope most people will agree is harmful).
>
One way to minimize the harm of unintentionally installed or
misconfigured daemons would be to add a default ipchain/ipfwadm policy
rejecting all TCP SYN (incoming initialization) and non-DNS UDP packets
except those from localhost. Daemon maintainers could then add commented
out or localhost-only examples in their init.d scripts, which could be
modified by the sysadmin to their local policies. The brave could answer no
in netbase's postinst to a default deny policy. The DNS rule begs to be
tightened up. Non-IP daemons (netatalk) are outside the scope of an IP
firewall, but maybe netfilter will have a cure for that.
I'd prefer to just remove the Conflicts: and allow the daemons to race for
the service number. It can be very useful to run different daemons on
different aliases, ports, or interfaces. Alternatively some daemons could
default to unique numbers (eg. squid/junkbuster), requiring sysadmin
intervention to reconfigure if a well-known port was prefered.
/etc/init.d/daemon
------------------
case "$1" in
start)
# start http daemon here
# if [ -e /proc/net/ip_fwchains ]; then
# ipchains -I input 1 -j ACCEPT -p tcp -d 0/0 http
# elif [ -e /proc/net/ip_input ]; then
# ipfwadm -I -i accept -P tcp -D 0/0 http
# fi
# ;;
stop)
# if [ -e /proc/net/ip_fwchains ]; then
# ipchains -D input -j ACCEPT -p tcp -d 0/0 http
# elif [ -e /proc/net/ip_input ]; then
# ipfwadm -D -i accept -P tcp -D 0/0 http
# fi
# stop http daemon here
;;
esac
/etc/init.d/network
-------------------
# comment these out if you don't want to self firewall
if [ -e /proc/net/ip_fwchains ]; then
ipchains -A input -j ACCEPT -s localhost
ipchains -A input -j ACCEPT -s ${IPADDR}
ipchains -A input -j ACCEPT -p icmp
ipchains -A input -j ACCEPT -p tcp -d ${IPADDR} \! -y
ipchains -A input -j ACCEPT -p udp -d ${IPADDR} -s 0.0.0.0/0 domain -l
ipchains -A input -j DENY -l
elif [ -e /proc/net/ip_input ]; then
ipfwadm -I -a accept -S localhost
ipfwadm -I -a accept -S ${IPADDR}
ipfwadm -I -a accept -P icmp
ipfwadm -I -a accept -P tcp -D ${IPADDR} -k
ipfwadm -I -a accept -P udp -D ${IPADDR} domain -o
ipfwadm -I -a deny -o
fi
/etc/ppp/ /etc/pcmcia/ ip-(up|down).d/...
--------------------
# need similar rules here too with new IP numbers
