Request scrutiny of ipchains script
Paul Melson
melson@scnc.holt.k12.mi.us
Sun, 20 Aug 2000 08:40:15 -0400
On Sat, Aug 19, 2000 at 04:48:44PM -0400, Torgo Jr wrote:
> Attached is my first attempt at a fairly complete firewall
> script for my home machine. Could any of the GLLUG
> security gurus take a look? My net connection is a PPP
> dialup thru Voyager, and I would like the usual output
> stuff allowed (web, ssh, ftp, etc...). Of course, over
> my pathetic modem connection, I'm not running any services
> meant for public use on my server. Are there any holes
> in the script, or anything I forgot? I based it on
> a web generated script from www.linux-firewall-tools.com
> and changed a few things. This will run on my Debian
> Potato box on each PPP dialin.
Looks fine. Are you experiencing any problems
with it, or just concerned about holes?
I did see one thing that may be worth mentioning,
although it's not directly a security problem.
--- cut ---
## set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
-- paste --
We use a 12hr timeout for ipmasq-ed TCP sessions
at Holt (due to a client/server database that our
offices use and leave open pretty much all day).
I've noticed that this has increased our system
load and caused some lag in ipmasq traffic. It's
not much of an issue for most ppl since the 802.11
external interface is slow enough that it's not
noticeable, but I can see it when masquerading
between two internal networks. If I reset the
timeout to its default, it goes away. In theory,
a large amount of traffic might be able to get
the kernel busy enough for other rules to fail.
However, if your external interface is 56Kbps
PPP, I wouldn't lose any sleep over it.
Anybody runnung a 2.4.0-test-x kernel know if
this has been fixed?
PaulM
--
_____________________
melson@holt.k12.mi.us