You are not logged in.

#1 2013-01-31 10:13:33

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Suggestion for setting a firewall according to my needs

I've decided to improve the security of my system  by setting up a firewall configuration.

So I've started reading tutorial/documentation on the web about the argument, but I'm a bit disappointed/confused.
I don't recognise why there is a great effort on setting up INPUT rules to the detriment of OUTPUT rules.

I mean...
From my point of view the main problem is as follow:
    1) there are dozens of sensible files (mainly those containing personal password) on filesystem;
    2) I DO want such files NOT to be read by anyone.

I absolutely do NOT care of virus of other system-destroying program: if something happens to my system, I do not even spend time to investigate: simply boot parted magic, connect the external hard drive and restore one of my working images (net time: 10-15 minutes).
I create such images on a regurarly base, so that I have an archive of perfectly working system to be used on occurrence.

So my main concern is not the protection of the stability of my system, but instead the protection of my personal (sensible) data.

As consequence, I suppose what I want to secure is the OUTPUT side of connection (or maybe I'm wrong?).

My real worry is like that:
"Ok, I'm opening such text file containing my credit card passwords with my favourite text editor. Am I sure such text editor is not a malicious software? Is it possible the (say, gedit) binary is corrupted in such a way that it sends online my personal data? How to prevent such malicious behaviour?"

So what I'm really searching for is maybe a program giving me the power to allow internet access to only a small fraction of my program (i.e.: disable internet access to all programs/processes except a few ones I explicitly mention).

But this is just an idea...

Please, tell me what do you think about such argumentations.
Any advices will be appreciated.

Thanks in advance...

Last edited by zero-giulio (2013-01-31 10:26:53)

Offline

#2 2013-01-31 11:20:42

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Suggestion for setting a firewall according to my needs

If you have files that you want to protect you need encryption.

-> Truecrypt
-> GPG (keep in mind that when you decrypt a GPG encrypted file it is written in plan text to wherever, so only decrypt it to a tmpfs/ramdisk or to an encrypted partition.)
-> LUKS/dm-crypt

As for this

1) there are dozens of sensible files (mainly those containing personal password) on filesystem;

You should look into LastPass or KeePassx
https://lastpass.com/
community/keepassx

I use LastPass. LastPass will also let you store encrypted files as attachments to secure notes. Just make sure to set a REALLY long passphrase to your LastPass account. I also would set it to do more like 1000 or better rounds of encryption. I have it set at 1,500 rounds. Also, get a YubiKey https://www.yubico.com/

As for your firewall. That is simply mandatory for all hosts and networks.

I suggest you use arno-iptables-firewall

https://aur.archlinux.org/packages/arno … -firewall/
https://aur.archlinux.org/packages/syst … -firewall/

Last edited by hunterthomson (2013-01-31 13:06:51)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2013-01-31 14:07:18

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Re: Suggestion for setting a firewall according to my needs

Yes man, this is obvious.

I have all my personal data on a truecrypt partition.

The problem is simply that, sometimes, I have to mount such partition and open the files.

Without originality, if I want to buy something online I need to:
    1) mount the partition;
    2) open the credit card file on a text editor;
    3) read (or copy/paste) codes, password and all other informations...

If my text editor is malicious and have access to internet, it can send my information in the meantime...

Of course the bad text editor is an extreme example, I know, but is just to explain my point.
Alternativelky, we can think about a generic process...

There are tons of process running in background...
What if one of them is malicious and every day, from my pc, call back home sending my data?

Last edited by zero-giulio (2013-01-31 14:10:38)

Offline

#4 2013-01-31 14:37:06

SanskritFritz
Member
From: Budapest, Hungary
Registered: 2009-01-08
Posts: 1,923
Website

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

There are tons of process running in background...
What if one of them is malicious and every day, from my pc, call back home sending my data?

That just means you don't know what is installed on your system. Install only programs that are open source, reviewed by thousands of peers, packaged by trustworthy people. Come on, you don't think a writer of a malicious program can't outsmart you? You alone want to fight against them? The best thing is not to touch anything suspicious and install things very carefully.


zʇıɹɟʇıɹʞsuɐs AUR || Cycling in Budapest with a helmet camera || Revised log levels proposal: "FYI" "WTF" and "OMG" (John Barnette)

Offline

#5 2013-01-31 15:53:43

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Re: Suggestion for setting a firewall according to my needs

These are all reasonably arguments, but...
Nothing new.
I obviously share your opinion. The key point is that I'd like a little more security.

Ok criptation... (I already do that)
Ok only trusted package... (I already do that)

But, if I want more?

My point basically was: is there a way to monitor and limit internet access of process and program in my system?
Anyone experienced in such field?

Last edited by zero-giulio (2013-01-31 15:55:03)

Offline

#6 2013-01-31 16:29:02

anonymous_user
Member
Registered: 2009-08-28
Posts: 3,059

Re: Suggestion for setting a firewall according to my needs

Unfortunately, I really cannot think of a firewall gui (for Linux) that will prompt for outbound connections on an app by app basis. You could deny all outbound traffic and then create individual rules for programs that need it. It would be tedious obviously.

Offline

#7 2013-01-31 17:03:39

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Re: Suggestion for setting a firewall according to my needs

On another forum people suggest me Leopard Flower:

http://leopardflower.sourceforge.net/

The description is wonderful, it almost perfectly fits my need.
(It prompt a graphical ALLOW-ALLOW ALWAYS-DENY-DENY ALWAYS every time an application want to go online)
Unfortunately it's a beta, but I think I neverheless will give it a choice soon.

The interesting thing is that somebody already ask for that package on AUR:

https://bbs.archlinux.org/viewtopic.php?id=150250

Offline

#8 2013-01-31 18:54:44

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

On another forum people suggest me Leopard Flower:

http://leopardflower.sourceforge.net/

The description is wonderful, it almost perfectly fits my need.
(It prompt a graphical ALLOW-ALLOW ALWAYS-DENY-DENY ALWAYS every time an application want to go online)
Unfortunately it's a beta, but I think I neverheless will give it a choice soon.

The interesting thing is that somebody already ask for that package on AUR:

https://bbs.archlinux.org/viewtopic.php?id=150250

I don't think you understand what you want. Nor do you seem to realize what a firewall is.

What kind of process are you trying to confine? Does it run as root or as a normal user? If it has root privileges, what stops it from punching a hole in your firewall?  A maliciious user-level process is usually easily traced with system tools, like ps and lsof. You can easily defend against it by having personal data gpg-encrypted (not luks/truecrypt -- you need a passwd everytime you access data), or storing it under a different username.

If you seriously want to confine a task, use SELinux/AppArmor/Tomoyo/Grsecurity. Apparmot and Tomooy are already included in -ARCH kernel -- just build tools from AUR. Look at LXC or KVM. Also check out qubesOS if you are really paranoid.


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#9 2013-01-31 19:53:25

SanskritFritz
Member
From: Budapest, Hungary
Registered: 2009-01-08
Posts: 1,923
Website

Re: Suggestion for setting a firewall according to my needs

nethogs gives you at least a monitoring solution.


zʇıɹɟʇıɹʞsuɐs AUR || Cycling in Budapest with a helmet camera || Revised log levels proposal: "FYI" "WTF" and "OMG" (John Barnette)

Offline

#10 2013-01-31 22:17:25

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

Leopard Flower

Yeah, without some third-party add-on which obviously ain't finished & available yet, iptables is very limited - e.g. we can't filter on an *app* level.

As Leonid.I said, you should also look at e.g. AppArmor, to lock down things like your web browser.

Offline

#11 2013-01-31 23:27:20

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Suggestion for setting a firewall according to my needs

You can use an integrity checking too to be sure that no files on your system have been altered and that no new files exist.

I think AIDE is the easies to use. It is what I use.
There is also OSSEC but OSSEC dose a lot more then just AIDE which makes it more complicated.

https://wiki.archlinux.org/index.php/AIDE


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#12 2013-02-01 02:27:25

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Suggestion for setting a firewall according to my needs

If you are worried about the security of your data, I can't understand why you are not worried about INPUT. In the case of OUTPUT, you at least know what is installed on your machine. Of course, some kind of attack from outside might simply wipe your drive but it might also read your files, install a keylogger, alter whichever binary is monitoring your outgoing connections, falsify your logs etc. etc. It makes no sense to think that only OUTPUT matters merely because your main concern is that your data not be stolen. INPUT is at least as important - probably much more so.

You seem to assume that if your machine were attacked from outside, you would (a) know and (b) know in time to pull the plug. I would not, personally, have your confidence.

Last edited by cfr (2013-02-01 02:29:00)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#13 2013-02-01 05:50:59

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: Suggestion for setting a firewall according to my needs

You really should take a look at tomoyo (application firewalling) and the grsecurity patch set (kernel hardening). However, in general, if you have malicious code running on your computer, you should consider yourself compromised. The Linux desktop really needs "apps" (like android etc.) that run in containers with app specific permissions.

Also hunterthomson, personal firewalls are not essential. They are generally only useful when you want to make services available to some networks/hosts but not others (file sharing etc.). Just don't run services you don't need.

And don't bother with Leopard Flower. I assume that you would want to allow wget, curl etc. through the firewall and a malicious program could simply use one of these utilities. Tomoyo gets around this problem by using namespaces ("buggy-browser calls evil-script calls curl accesses internet" versus "user-shell calls curl access internet") but Leopard Flower doesn't appear to do this.


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#14 2013-02-01 09:24:57

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Re: Suggestion for setting a firewall according to my needs

First of all, thanks to everyone for the number of replies.

Then...

Leonid.I wrote:

If you seriously want to confine a task, use SELinux/AppArmor/Tomoyo/Grsecurity. Apparmot and Tomooy are already included in -ARCH kernel -- just build tools from AUR. Look at LXC or KVM. Also check out qubesOS if you are really paranoid.

brebs wrote:

As Leonid.I said, you should also look at e.g. AppArmor, to lock down things like your web browser.

Stebalien wrote:

You really should take a look at tomoyo (application firewalling) and the grsecurity patch set (kernel hardening). However, in general, if you have malicious code running on your computer, you should consider yourself compromised. The Linux desktop really needs "apps" (like android etc.) that run in containers with app specific permissions.

Yes, Mandatory Access Control implementations are the first things I considered (Security page in the ArchWiki has direct links to them).

The main point is that I'd like (if possible, of course) an easier (point-and-click?) solution: MAC are very complex and I have no time/wish to understand their functioning (also, MAC perform a number of check/control/operation in the background which slow down computer performance... I really do not want all that stuff: my ONLY concern is the internet connection).

Stebalien wrote:

And don't bother with Leopard Flower. I assume that you would want to allow wget, curl etc. through the firewall and a malicious program could simply use one of these utilities. Tomoyo gets around this problem by using namespaces ("buggy-browser calls evil-script calls curl accesses internet" versus "user-shell calls curl access internet") but Leopard Flower doesn't appear to do this.

Of course men like me, which do not fully understand what run under the hood of their system, will never be really secured.
It's quite obvious.

But at least one can use personal firewall (leopard flower, tuxguardian, etc...) for information: i.e., it's true that if I'm asked to enable wget to connect I'll eventually enable it, but the point is that I should be asked.

For example if gedit wants to connect to internet (because, say, it wants to check for update) and I'm asked to enable it to connect then I'll NEVER enable it (because I don't want text editor to connect to internet).

SanskritFritz wrote:

nethogs gives you at least a monitoring solution.

Thanks SanskritFritz, it seems interesting for my purpose.
I'll give it a look.

cfr wrote:

If you are worried about the security of your data, I can't understand why you are not worried about INPUT. In the case of OUTPUT, you at least know what is installed on your machine. Of course, some kind of attack from outside might simply wipe your drive but it might also read your files, install a keylogger, alter whichever binary is monitoring your outgoing connections, falsify your logs etc. etc. It makes no sense to think that only OUTPUT matters merely because your main concern is that your data not be stolen. INPUT is at least as important - probably much more so.

You seem to assume that if your machine were attacked from outside, you would (a) know and (b) know in time to pull the plug. I would not, personally, have your confidence.

Ok, you say: from INPUT can come a keylogger into my system which eventually alter my binaries, including the ones I use for my personal security, so that OUTPUT is no longer protected.

It seems reasonably, and demonstrate I am very superficial in this argument (and this is exactly the reason why I opend a topic: If I was expert in such field I'd have no need (or a least little need) of advices).

Nevertheless, I think problem like a keylogger altering the binaries should be tackle with standard permissions (if the binaries are root it sufficient not to grant the keylogger root privilege, isn't it?).

Last edited by zero-giulio (2013-02-01 09:28:20)

Offline

#15 2013-02-01 18:41:23

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

First of all, thanks to everyone for the number of replies.

Then...

Leonid.I wrote:

If you seriously want to confine a task, use SELinux/AppArmor/Tomoyo/Grsecurity. Apparmot and Tomooy are already included in -ARCH kernel -- just build tools from AUR. Look at LXC or KVM. Also check out qubesOS if you are really paranoid.

brebs wrote:

As Leonid.I said, you should also look at e.g. AppArmor, to lock down things like your web browser.

Stebalien wrote:

You really should take a look at tomoyo (application firewalling) and the grsecurity patch set (kernel hardening). However, in general, if you have malicious code running on your computer, you should consider yourself compromised. The Linux desktop really needs "apps" (like android etc.) that run in containers with app specific permissions.

Yes, Mandatory Access Control implementations are the first things I considered (Security page in the ArchWiki has direct links to them).

The main point is that I'd like (if possible, of course) an easier (point-and-click?) solution: MAC are very complex and I have no time/wish to understand their functioning (also, MAC perform a number of check/control/operation in the background which slow down computer performance... I really do not want all that stuff: my ONLY concern is the internet connection).

Security is only easy in the Windows world... and even that is a myth.


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#16 2013-02-02 00:10:37

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

Nevertheless, I think problem like a keylogger altering the binaries should be tackle with standard permissions (if the binaries are root it sufficient not to grant the keylogger root privilege, isn't it?).

If software is being installed without your knowledge because you have been successfully attacked, root is already compromised. But all an attacker needs is to read your files if that is the concern.

A keylogger won't alter your binaries. (Well, that's not the main point.) It logs what you type whether that is passwords, credit card information or state secrets.

Look, if an attacker has access to your system, your system is compromised. There is no limiting the damage using permissions etc.

Of course, the fact that you run as an unprivileged user will limit your vulnerability. But if you are concerned about what the software on your machine might be doing, then you are already worried that your system has been compromised. If you are worried that gedit might be sending data over the internet, then you may equally worry that gedit may hide a keylogger which will record your root password and send that along with the rest of your personal data. Or that gedit may respond to connections from the net wanting to read your personal files.

Of course, there is a difference between worrying about what clearly vulnerable software might do,e.g. a web browser which by its very nature sends stuff out, and software which is less so, e.g. a text editor which should not be doing so. But that, too, requires you to know what is running on your machine and why. There are very good reasons not to run a web browser as root, for example, for just this sort of reason. If you wanted to, you could run your web browser as a completely different user and ensure that that user lacks access to your usual home directory.

I'm not saying any of this is stuff you should be worried about. But if you are going to worry, worrying about the OUTPUT chains rather than the INPUT chains just seems bizarre. After all, you control what is running on your machine. You do not control whatever is trying to connect to or compromise your machine from the internet. I take it you are running no services and that should be sufficient but blocking unwanted INPUT adds another layer of security. So if a service which should not respond to stuff contains a security flaw, a firewall may nonetheless block stuff from outside exploiting that flaw. This is all "may", of course. There are no guarantees. Of course, if you plan to run any services which will be accessible from outside, then things are different and the need for a firewall may be greater although the need to secure the services would still be the crucial thing.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#17 2013-02-02 13:33:11

zero-giulio
Member
Registered: 2010-01-23
Posts: 70

Re: Suggestion for setting a firewall according to my needs

cfr wrote:

If software is being installed without your knowledge because you have been successfully attacked, root is already compromised. But all an attacker needs is to read your files if that is the concern.

A keylogger won't alter your binaries. (Well, that's not the main point.) It logs what you type whether that is passwords, credit card information or state secrets.

Look, if an attacker has access to your system, your system is compromised. There is no limiting the damage using permissions etc.

Of course, the fact that you run as an unprivileged user will limit your vulnerability. But if you are concerned about what the software on your machine might be doing, then you are already worried that your system has been compromised. If you are worried that gedit might be sending data over the internet, then you may equally worry that gedit may hide a keylogger which will record your root password and send that along with the rest of your personal data. Or that gedit may respond to connections from the net wanting to read your personal files.

Of course, there is a difference between worrying about what clearly vulnerable software might do,e.g. a web browser which by its very nature sends stuff out, and software which is less so, e.g. a text editor which should not be doing so. But that, too, requires you to know what is running on your machine and why. There are very good reasons not to run a web browser as root, for example, for just this sort of reason. If you wanted to, you could run your web browser as a completely different user and ensure that that user lacks access to your usual home directory.

I'm not saying any of this is stuff you should be worried about. But if you are going to worry, worrying about the OUTPUT chains rather than the INPUT chains just seems bizarre. After all, you control what is running on your machine. You do not control whatever is trying to connect to or compromise your machine from the internet. I take it you are running no services and that should be sufficient but blocking unwanted INPUT adds another layer of security. So if a service which should not respond to stuff contains a security flaw, a firewall may nonetheless block stuff from outside exploiting that flaw. This is all "may", of course. There are no guarantees. Of course, if you plan to run any services which will be accessible from outside, then things are different and the need for a firewall may be greater although the need to secure the services would still be the crucial thing.

Thanks cfr.
Clearly you're right.

Leonid.I wrote:

Security is only easy in the Windows world... and even that is a myth.

Yes, and (as you may expect) I come from that world. I was used to software like Comodo (its Defense is very close to a MAC in linux) which monitor connection apps for apps individually and prompt at each request.
And, of course, in Windows you are never completely protected.

For the moment I decide to stand by leopard flower and tux guardian, and to give a chance to AIDA, as hunterthomson suggests me, together with the useful nethogs (which I have already installed)
Maybe together with firestarter, which is a pretty standard firewall with some interesting monitoring features.

But of course, any other advice is very welcome :-)

Offline

#18 2013-02-02 14:40:16

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Suggestion for setting a firewall according to my needs

zero-giulio wrote:

For the moment I decide to stand by leopard flower and tux guardian, and to give a chance to AIDA, as hunterthomson suggests me, together with the useful nethogs (which I have already installed)
Maybe together with firestarter, which is a pretty standard firewall with some interesting monitoring features.

But of course, any other advice is very welcome :-)

Great that you started to decide.

The problem with your choice of leopardflower and tuxguardian is that both developments stalled a bit lately. Linux networking security has a history of neglecting the application level (OSI 7) for port-based network control, as also put forward by brebs early in your thread. The reasons for that are manyfold and embedded in OSS philosophy of sharing (the network exists to share information/services, re-use of code is efficient sharing also - also security-wise). Yet that leads too far here.

Having followed your thread: for network usage, in my view you should rather follow the way of investing that time in (1) observing network logs and traffic (you started that), (2) then test what happens when you restrict the OUTPUT policy - according to your networking needs, and dont forget (3) to take care of interactive network usage (e.g. decide on the level of browser sandboxing; as suggested above).

For continuous system integrity hunterthomson's suggestion of (4) AIDE surely is great. But I predict you will also find it to be a pita to run, because a rolling distribution changes a lot. So you not only have to cron it, but also be disciplined to use it on every system update .. plan ahead for that. According to your info in above thread (4) may obsolete (2) in your use case perhaps.

Offline

#19 2013-02-03 01:18:16

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Suggestion for setting a firewall according to my needs

Stebalien wrote:

Also hunterthomson, personal firewalls are not essential. They are generally only useful when you want to make services available to some networks/hosts but not others (file sharing etc.). Just don't run services you don't need..

No. First of all basically every Linux Desktop is running network services that they would not want exposed to the network. So right their you need a firewall to bock access to them and to any services that you may not even realize are running.

Second, iptables/netfilter in Linux is not a Layer2/3 firewall it is a layer4 firewall. Think of it more as an IPS. It will do logging, rate limiting, and network attack signature blocking. Like, I have SSHD running on my laptop. However, if someone tries to make more then 4 connection attempts in 60secs or 10 in 1800 secs the traffic is dropped and the event is logged. So while I do want to allow access to SSHD the "firewall" is still protecting the service.

Here are my iptables firewall rules on my laptop that was created with arno-iptables-firewall

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1017K  779M BASE_INPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 HOST_BLOCK_SRC  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 SPOOF_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 VALID_CHK  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_INPUT_CHAIN !icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 EXT_INPUT_CHAIN  icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 60/sec burst 100
    0     0 EXT_ICMP_FLOOD_CHAIN  icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 VALID_CHK  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_INPUT_CHAIN !icmp --  wlan0  *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 EXT_INPUT_CHAIN  icmp --  wlan0  *       0.0.0.0/0            0.0.0.0/0            ctstate NEW limit: avg 60/sec burst 100
    0     0 EXT_ICMP_FLOOD_CHAIN  icmp --  wlan0  *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 INT_INPUT_CHAIN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_INPUT_CHAIN  all  --  br1    *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_INPUT_CHAIN  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_INPUT_CHAIN  all  --  ppp1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_INPUT_CHAIN  all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_INPUT_CHAIN  all  --  usb1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_INPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "AIF:Dropped INPUT packet: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 BASE_FORWARD_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 FORWARD_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 HOST_BLOCK_SRC  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 HOST_BLOCK_DST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_FORWARD_IN_CHAIN  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_FORWARD_OUT_CHAIN  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_FORWARD_IN_CHAIN  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_FORWARD_OUT_CHAIN  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      br0     0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  br1    *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      br1     0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  ppp1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      ppp1    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  usb0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_IN_CHAIN  all  --  usb1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 INT_FORWARD_OUT_CHAIN  all  --  *      usb1    0.0.0.0/0            0.0.0.0/0           
    0     0 SPOOF_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  br0    wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br1    br1     0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  br1    eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  br1    wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp0   ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  ppp0   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  ppp0   wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  ppp1   ppp1    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  ppp1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  ppp1   wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  usb0   usb0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  usb0   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  usb0   wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  usb1   usb1    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  usb1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LAN_INET_FORWARD_CHAIN  all  --  usb1   wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 POST_FORWARD_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 3 LOG flags 0 level 6 prefix "AIF:Dropped FORWARD packet: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 686K   59M BASE_OUTPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  361 21660 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  395 26821 OUTPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  395 26821 HOST_BLOCK_DST  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Fragment packet: "
    0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
  395 26821 EXT_OUTPUT_CHAIN  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 EXT_OUTPUT_CHAIN  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      br0     0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      br1     0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      ppp1    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      usb0    0.0.0.0/0            0.0.0.0/0           
    0     0 INT_OUTPUT_CHAIN  all  --  *      usb1    0.0.0.0/0            0.0.0.0/0           
  395 26821 POST_OUTPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  395 26821 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BASE_FORWARD_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED tcp dpts:1024:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED udp dpts:1024:65535
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain BASE_INPUT_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
1016K  779M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED tcp dpts:1024:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED udp dpts:1024:65535
   80 37612 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
  515 36728 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain BASE_OUTPUT_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 685K   59M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
  534 39204 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain DMZ_FORWARD_IN_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_FORWARD_OUT_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_INET_FORWARD_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_INPUT_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_LAN_FORWARD_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_OUTPUT_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain EXT_BROADCAST_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV TCP broadcast: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV UDP broadcast: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV TCP broadcast: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1024 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV UDP broadcast: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_FORWARD_IN_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 VALID_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_FORWARD_OUT_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain EXT_ICMP_FLOOD_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-unreachable flood: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-time-exceeded fld: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-param-problem fld: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-request(ping) fld: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-reply(pong) flood: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-source-quench fld: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP(other) flood: "
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_INPUT_CHAIN (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SSH_CHK    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix "AIF:Port 0 OS fingerprint: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix "AIF:Port 0 OS fingerprint: "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:0
    0     0 POST_INPUT_DROP_CHAIN  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:0
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix "AIF:TCP source port 0: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix "AIF:UDP source port 0: "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:0
    0     0 POST_INPUT_DROP_CHAIN  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth scan? (UNPRIV): "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth scan? (PRIV): "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
    0     0 EXT_BROADCAST_CHAIN  all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 EXT_MULTICAST_CHAIN  all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV TCP packet: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV UDP packet: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV TCP packet: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV UDP packet: "
    0     0 LOG        2    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 5 LOG flags 0 level 6 prefix "AIF:IGMP packet: "
    0     0 POST_INPUT_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-request: "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-other: "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_INPUT_DROP_CHAIN  udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_INPUT_DROP_CHAIN  2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_INPUT_DROP_CHAIN  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 5 LOG flags 0 level 6 prefix "AIF:Other connect: "
    0     0 POST_INPUT_DROP_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_MULTICAST_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV TCP multicast: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:PRIV UDP multicast: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV TCP multicast: "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1024 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix "AIF:UNPRIV UDP multicast: "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-multicast-request: "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-multicast-other: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_OUTPUT_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain HOST_BLOCK_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 1 LOG flags 0 level 6 prefix "AIF:Blocked host(s): "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain HOST_BLOCK_DST (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain HOST_BLOCK_SRC (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INET_DMZ_FORWARD_CHAIN (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INT_FORWARD_IN_CHAIN (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INT_FORWARD_OUT_CHAIN (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INT_INPUT_CHAIN (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 20/sec burst 100
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-request: "
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INT_OUTPUT_CHAIN (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LAN_INET_FORWARD_CHAIN (12 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 20/sec burst 100
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:ICMP-request: "
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_FORWARD_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_INPUT_CHAIN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_INPUT_DROP_CHAIN (28 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_OUTPUT_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain RESERVED_NET_CHK (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain SPOOF_CHK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  br0    *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  br1    *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  ppp0   *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  ppp1   *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  usb0   *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  usb1   *       10.1.3.0/24          0.0.0.0/0           
    0     0 LOG        all  --  *      *       10.1.3.0/24          0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Spoofed packet: "
    0     0 POST_INPUT_DROP_CHAIN  all  --  *      *       10.1.3.0/24          0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SSH_CHK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: sshchk side: source mask: 255.255.255.255
    0     0 SSH_LOG_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 60 hit_count: 4 name: sshchk side: source mask: 255.255.255.255
    0     0 SSH_LOG_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 1800 hit_count: 10 name: sshchk side: source mask: 255.255.255.255

Chain SSH_LOG_DROP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/min burst 1 LOG flags 0 level 6 prefix "AIF:SSH Brute force attack?: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain VALID_CHK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth XMAS scan: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth XMAS-PSH scan: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth XMAS-ALL scan: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth FIN scan: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth SYN/RST scan: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth SYN/FIN scan?: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "AIF:Stealth Null scan: "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp option=64 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:Bad TCP flag(64): "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp option=128 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix "AIF:Bad TCP flag(128): "
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp option=64
    0     0 POST_INPUT_DROP_CHAIN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp option=128
    0     0 POST_INPUT_DROP_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 1 LOG flags 0 level 4 prefix "AIF:Fragment packet: "
    0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           

zero-giulio, sounds like your on the right track. Just do what you feel comfortable doing. There is always more to learn. However, you need to open your mind. There is a lot more to the picture then just what program is sending information to the Internet. In order to make sure that gedit is not leaking information you need to protect everything on your computer. What good is gedit security if your kernel is cracked?

Last edited by hunterthomson (2013-02-03 01:28:53)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#20 2013-02-03 05:26:11

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: Suggestion for setting a firewall according to my needs

hunterthomson wrote:

First of all basically every Linux Desktop is running network services that they would not want exposed to the network.

By default, neither Ubuntu nor Arch run network facing services. Right now, I'm only running sshd, on a high port, with key-based authentication. If you are running network facing services and don't want them exposed to the network, you either shouldn't be running them or they should be listening on localhost. However, your rate-limiting point is valid if you are using password based authentication for ssh or are worried about someone DOSing one of your services.

$ ss -l not src 127.0.0.1
State      Recv-Q Send-Q         Local Address:Port             Peer Address:Port
LISTEN     0      128                       :::myssh                      :::*

Last edited by Stebalien (2013-02-03 05:29:37)


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#21 2013-02-03 23:41:14

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Suggestion for setting a firewall according to my needs

Stebalien wrote:
hunterthomson wrote:

First of all basically every Linux Desktop is running network services that they would not want exposed to the network.

By default, neither Ubuntu nor Arch run network facing services. Right now, I'm only running sshd, on a high port, with key-based authentication. If you are running network facing services and don't want them exposed to the network, you either shouldn't be running them or they should be listening on localhost. However, your rate-limiting point is valid if you are using password based authentication for ssh or are worried about someone DOSing one of your services.

$ ss -l not src 127.0.0.1
State      Recv-Q Send-Q         Local Address:Port             Peer Address:Port
LISTEN     0      128                       :::myssh                      :::*

Sure, I guess that it will protect you from services being run that you are unaware of, mistakes happen. Ya, basically I feel so strongly about it because it provides logging and tracking on Layer4, so it is very useful even on a laptop. Plus, it is easy enough to configure, so why not have one.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

Board footer

Powered by FluxBB