Securing-Optimizing-RH-Linux-1_2_107
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
107
NAMESERVER_2
This is the IP address of your Secondary DNS Server from your network or your ISP.
LOOPBACK
The loopback address range is 127.0.0.0/8. The interface itself is addressed as 127.0.0.1 (in
/etc/hosts).
PRIVPORTS
The privileged ports, 0 through 1023, are usually referenced in total.
UNPRIVPORTS
The unprivileged ports, 1024 through 65535, are usually referenced in total. They are addresses
dynamically assigned to the client side of a connection.
Default Policy
A firewall has a default policy and a collection of actions to take in response to specific message
types. This means that if a given packet has not been selected by any other rule, then the default
policy rule will be applied.
Enabling Local Traffic
Since the default policies for all example firewall rules scripts files on this book are to deny
everything, some of these rules must be unset. Local network services do not go through the
external network interface. They go through a special, private interface called the loopback
interface. None of your local network programs will work until loopback traffic is allowed.
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
Source Address Filtering
All IP packet headers contain the source and destination IP addresses and the type of IP protocol
message (ICMP, UDP or TCP) this packet contains. The only means of identification under the
Internet Protocol (IP) is the source address in the IP packet header. This is a problem that opens
the door to source address spoofing, where the sender may replaces its address with either a
nonexistent address, or the address of some other site.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
Also, there are at least seven sets of source addresses you should refuse on your external
interface in all cases.
These are incoming packets claiming to be from:
·
Your external IP address
·
Class A private IP addresses
·
Class B private IP addresses
·
Class C private IP addresses
·
Class D multicast addresses
·
Class E reserved addresses
·
The loopback interface
With the exception of your own IP address, blocking outgoing packets containing these source
addresses protects you from possible configuration errors on your part.