Re: Why not have firewall rules by default?

William Twomey wrote:
> It's my understanding (and experience) that a Debian system by default
> is vulnerable to SYN flooding (at least when running services) and
> other such mischeif. I was curious as to why tcp_syncookies (and
> similar things) are not enabled by default.
Sorry forgot that.

Submitted by admin <http://www.linuxinsight.com/user/1> on Thu, 2006-06-29 23:12.

Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common "syn flood attack". Disabled (0) by default.

Note, that syncookies is fallback facility. It must not be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog <http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_max_syn_backlog.html>, tcp_synack_retries
<http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_synack_retries.html>, tcp_abort_on_overflow
<http://www.linuxinsight.com/proc_sys_net_ipv4_tcp_abort_on_overflow.html>.

syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (for example SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured.

Regards, Riku

>
> Many distros (RPM-based mostly from my experience) ask you during the
> install if you'd like to enable firewall protection. I was curious if
> debian was every going to have this as an option?
>
> One solution could be to have a folder called /etc/security/iptables
> that contains files that get passed to iptables at startup (in the
> same way /etc/rc2.d gets read in numeric order). So you could have
> files like 22ssh, 23ftp, etc. with iptable rules in each file. You
> could also have an 'ENABLED' variable like some files in /etc/default
> have (so that ports wouldn't be opened by default; the user would have
> to manually enable them for the port to be opened).
> Then they'd just run /etc/init.d/iptables restart and the port would
> be opened (flush the rules, reapply).
>
> Even a central iptables-save format file that gets passed to iptables
> at startup would be nice. It's easy enough to do manually, but would
> be nice to see integrated with debian itself (packages managing their
> own rules, etc.).
>
> Is debian every going to introduce a better way of having iptables
> rules be run at startup and easily saved/managed, or will this always
> be a manual process?
>
> Thanks!
>
> -Will
>
>

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org