On Sun, 24 Apr 2016 00:17:51 -0500 Michael Milliman <[email protected]> wrote: > >> Any suggestions/comments would be much appreciated. Thanks > >> very much. > > Assuming you'd want to keep ufw, you'd need to worry about: > > > >> Chain ufw-after-input (1 references) > >> target prot opt source destination > >> ufw-skip-to-policy-input udp -- anywhere anywhere udp > >> dpt:netbios-ns > >> ufw-skip-to-policy-input udp -- anywhere anywhere udp > >> dpt:netbios-dgm > >> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp > >> dpt:netbios-ssn > >> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp > >> dpt:microsoft-ds > > There's no reason to accept these unless you're using Samba (either > > the server or client). > However, if you look at the ufw-skip-to-policy-input chain, it simply > DROPs everything, so there is no hole here, as far as I can tell. > Indeed, this chain specifies all protocols, from anywhere to anywhere, > target DROP. So, in the end, all packets to these destination ports > (dpt) are DROPed.
Good catch. I agree here. Although it would help to see if these rules apply to a certain network interface (see below). > >> ACCEPT udp -- anywhere anywhere udp > >> spt:bootps dpt:bootpc > > So, first they compose a perfectly good rule for DHCP client > > (ufw-before-input chain), but then they allow udp:68 unconditionally in > > ufw-after-input chain. I'll assume that something very clever is going > > on here. > Correct me if I'm wrong, however, the ufw-before-input chain concerns me > greatly. The first rule here ACCEPTs all packets of all protocols > coming from anywhere and going to anywhere. This appears to be an > incredibly big hole. The above rule Reco mentions, will never be seen > as it is quite a bit further down the chain, after everything has > already been ACCEPTed. Surely, I'm reading something wrong?:-\ I believe this to be an artifact of 'iptables -L', and the actual rule refers to lo interface only. For example, on my system this scary rule: # iptables -nL INPUT | head -3 ... ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Actually means this: # iptables -nvL INPUT | head -3 ... ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Reco
