Request scrutiny of ipchains script

Paul Melson melson@scnc.holt.k12.mi.us
Sun, 20 Aug 2000 08:40:15 -0400


On Sat, Aug 19, 2000 at 04:48:44PM -0400, Torgo Jr wrote:
> Attached is my first attempt at a fairly complete firewall 
> script for my home machine.  Could any of the GLLUG 
> security gurus take a look?  My net connection is a PPP 
> dialup thru Voyager, and I would like the usual output 
> stuff allowed (web, ssh, ftp, etc...).  Of course, over 
> my pathetic modem connection, I'm not running any services 
> meant for public use on my server.  Are there any holes 
> in the script, or anything I forgot?  I based it on 
> a web generated script from www.linux-firewall-tools.com 
> and changed a few things.  This will run on my Debian 
> Potato box on each PPP dialin.

	Looks fine.  Are you experiencing any problems
	with it, or just concerned about holes?

	I did see one thing that may be worth mentioning,
	although it's not directly a security problem.

--- cut ---

## set masquerade timeout to 10 hours for tcp connections                       
                                                                                
ipchains -M -S 36000 0 0                                    

-- paste --

	We use a 12hr timeout for ipmasq-ed TCP sessions
	at Holt (due to a client/server database that our
	 offices use and leave open pretty much all day).
	I've noticed that this has increased our system
	load and caused some lag in ipmasq traffic.  It's
	not much of an issue for most ppl since the 802.11
	external interface is slow enough that it's not
	noticeable, but I can see it when masquerading
	between two internal networks.  If I reset the
	timeout to its default, it goes away.  In theory,
	a large amount of traffic might be able to get
	the kernel busy enough for other rules to fail.
	However, if your external interface is 56Kbps
	PPP, I wouldn't lose any sleep over it.  

	Anybody runnung a 2.4.0-test-x kernel know if 
	this has been fixed?


PaulM

-- 
							_____________________
							melson@holt.k12.mi.us