Results 1 to 4 of 4

Thread: Hey all you firewall creators -- Let's talk

  1. #1
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Hey all you firewall creators -- Let's talk

    On the subject of linux firewalls, there seems to be a lot of discussion about opening or allowing certain ports, however a lot of the other finer nuances seemed to be missed.

    I often see code floating around the internet such as the following, which are commonly added to ip start up scrips:

    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
    echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

    Are these kernel modifications really effective, and are there others that should be added to any firewall startup script?

  2. #2
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Hey all you firewall creators -- Let's talk

    Quote Originally Posted by kevdog View Post
    On the subject of linux firewalls, there seems to be a lot of discussion about opening or allowing certain ports, however a lot of the other finer nuances seemed to be missed.

    I often see code floating around the internet such as the following, which are commonly added to ip start up scrips:

    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
    echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

    Are these kernel modifications really effective, and are there others that should be added to any firewall startup script?
    These are all kernel tuneables and they can be very effective depending on the desired result. There are a few in there that are performance as opposed to security enhancements and I would think depend heavily on the type of traffic you're expecting to see. From a system security point of view the ones that I feel are important are the following

    Code:
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
    As these tuneables all focus on either logging or deterring traffic that could be used in a malicious nature.

    Hope this helps
    Last edited by Dangertux; March 18th, 2012 at 03:03 PM.

  3. #3
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Hey all you firewall creators -- Let's talk

    Any more kernel tuneables of any value in terms of security? It seems these "details" are often a footnote.

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Hey all you firewall creators -- Let's talk

    Quote Originally Posted by kevdog View Post
    Any more kernel tuneables of any value in terms of security? It seems these "details" are often a footnote.
    Best links I know are

    http://www.puschitz.com/SecuringLinu...rityParameters

    http://www.cyberciti.biz/faq/linux-k...ity-hardening/

    The second is mainly networking.

    From there it "degenerates" to kernel documentation fairly rapidly

    http://www.kernel.org/doc/Documentat...parameters.txt
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •