Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
2165 308K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
Chain OUTPUT (policy DROP 168 packets, 10072 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 716 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
On Mon, May 23, 2016 at 6:01 PM, Ralph Sanchez <rwsanch...@gmail.com> wrote:
> Also, it seems if I only allow Related and Established on OUTPUT I
> cannot access the internet, 90 percent of packets get dropped when I
> try to connect to anything, but allowing new established allows
> connection...but also any software would be able to call home.
>
> On Mon, May 23, 2016 at 5:28 PM, Ralph Sanchez <rwsanch...@gmail.com> wrote:
>> Thanks for the clarification : ) And you didn't confuse the two
>> explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
>> NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
>> know.
>>
>> I have read through quite a few manuals and online forums, although no
>> RFCs...I'm not really sure I know what they are even haha. I have
>> configured myself pretty wall, editing PAM and my sysctl.conf file
>> rigourously, BIOS passwording and denying USB boots without admin
>> access to the BIOS, as well as other various activities including
>> attempting to configure SELinux, which is nigh impossible to do it and
>> have it have any effect on Jessie right now, at least as far as me and
>> someone else could find.
>>
>> I have noticed that DROP on invalid first actually drops more packets
>> then simply allowing Established, related...does this imply a packet
>> can have more then one state??
>>
>> On Mon, May 23, 2016 at 5:20 PM, Einhard Leichtfuß <e...@respiranto.de>
>> wrote:
>>> On 2016-05-23 22:32, Ralph Sanchez wrote:
>>>> On Mon, May 23, 2016 at 4:13 PM, <deb...@respiranto.de> wrote:
>>>>> On 2016-05-23 19:54, Ralph Sanchez wrote:
>>>>>> Yes, this is a personal laptop. If you notice, I have default POLICY
>>>>>> as DROP, which means if I don't accept on ports 80 and 443 I can't
>>>>>> accept HTTPS and HTTP, correct? I'm still learning how all this works,
>>>>>> but that's what it seemed to me and was explained in other guides and
>>>>>> tutorials I needed to do. And if I don't ACCEPT there, i dont get any
>>>>>> web pages whatsoever so.
>>>>> Whenever you perform an HTTP(S) request, the response should be treated
>>>>> as RELATED, hence allowing all RELATED inbound traffic should suffice.
>>>>
>>>> So, would it be better to not based any outgoing connections of
>>>> stateful connections and simply just allow it via port, since either
>>>> way the port is doing to allow both wanted traffic and possible
>>>> subversion, if malicious software passed the input? Or maybe put the
>>>> 443 ACCEPT before the stateful filtering, and only allow established
>>>> state?
>>> As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
>>> and outbound connections. I might have mixed up RELATED and ESTABLISHED
>>> at little in the former emails, by the way. Apart from that, you may
>>> block as much as you want. And I would suggest blocking any other INPUT
>>> (except for icmp (possibly partly) and lo). But again, if you really
>>> want to secure your box, take the time to thoroughly read a few manuals
>>> and possibly even a few RFCs.
>>>>
>>>>
>>>>>> Thanks for the Advice on NEW, I haven't seen much said about it so
>>>>>> I'll take that advice and just enable RELATED as well, considering
>>>>>> that solves the biggest problem I had as far as still accessing the
>>>>>> web.
>>>>>>
>>>>>> And as far as blocking outbound, I just don't see any reason to allow
>>>>>> any more data in or out at any moment then is absolutely needed, and
>>>>>> it should help mitigate some malicious software calling home even if
>>>>>> it does get through into my system.
>>>>> It could still connect via 80,443. However, you are right, your setup
>>>>> will block those malicious pieces of software, that do not try to use
>>>>> those (and that do not gain root rights).
>>>>
>>>> Yeah, i wasn't sure whether i should leave those options in or just go
>>>> off stateful...see previous statement. Also, if something gain root
>>>> rights in my system, then I've got more problems then a faulty
>>>> firewall.
>>>>
>>>>>> Thanks for the reading, that's where I'm heading now : )
>>>>
