Реклама: |
A long time ago at a university far, far away, Weitse Venema created the tcp-wrapper
package, and ever since, it's been used to add a layer of protection to network services
all over the world. This is good. But, tcp-wrappers have flaws. For starters, they only
protect TCP services, as the name suggests. Also, unless you run your service from inetd,
or you have specifically compiled it with libwrap and the appropriate hooks, your service
isn't protected. This leaves gigantic holes in your host security. We can plug these up by
using ipf on the local host. For example, my laptop often gets plugged into or dialed into
networks that I don't specifically trust, and so, I use the following rule set:
pass in quick on lo0 all
pass out quick on lo0 all
block in log all
block out all
pass in quick proto tcp from any to any port = 113 flags S keep state
pass in quick proto tcp from any to any port = 22 flags S keep state
pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep
state
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags
It's been like that for quite a while, and I haven't suffered any pain or anguish as
a result of having ipf loaded up all the time. If I wanted to tighten it up more, I could
switch to using the NAT ftp proxy and I could add in some rules to prevent spoofing. But
even as it stands now, this box is far more restrictive about what it presents to the
local network and beyond than the typical host does. This is a good thing if you happen to
run a machine that allows a lot of users on it, and you want to make sure one of them
doesn't happen to start up a service they wern't supposed to. It won't stop a malicious
hacker with root access from adjusting your ipf rules and starting a service anyway, but
it will keep the "honest" folks honest, and your weird services safe, cozy and
warm even on a malicious LAN. A big win, in my opinion. Using local host filtering in
addition to a somewhat less-restrictive "main firewall" machine can solve many
performance issues as well as political nightmares like "Why doesn't ICQ
work?" and "Why can't I put a web server on my own workstation! It's MY
WORKSTATION!!" Another very big win. Who says you can't have security and convienence
at the same time?