Is more security needed with no default getaway?

zaozao · 2006-05-12 11:53:17

Hi!

I have base only Arch installation for running one Linux compatible application on it. I wander with two questions.

Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?

If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.

Thank you!

FUBAR · 2006-05-12 12:39:50

zaozao wrote:

Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?

The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.

zaozao wrote:

If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.

Search the Wiki. Here's a link on how to set up a simple stateful firewall.

ralvez · 2006-05-12 13:12:39

If your system is connected to a network (LAN) and has NO OPEN ports via services, in other words: you are not running a mail service or Apache server, then just enter "ALL:ALL" in /etc/hosts.deny and that's all you need.

If you want to have ssh access to that box you can add the IP address of the machine you want to allow to connect to that box in /etc/hosts.allow , but if you want to "push" the boundaries any further I would add a firewall via IPTABLES.

Hope this helps.

Rick

brain0 · 2006-05-12 15:02:35

zaozao wrote:

Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?

If you consider those two subnets trusted, you do not have to add anything. The first rule of security still applies: Install and run only the services you really need. If the only service running is sshd, you are already secure enough.

If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.

You have to install iptables via pacman.

zaozao · 2006-05-14 11:26:25

brain0 wrote:

If the only service running is sshd, you are already secure enough.

What do you mean by "sshd"?

brain0 wrote:

You have to install iptables via pacman.

Do I have to download some additional package containing iptables to install with pacman or iptables included in Aech base installation?

zaozao · 2006-05-14 11:33:33

ralvez wrote:

If your system is connected to a network (LAN) and has NO OPEN ports via services, in other words: you are not running a mail service or Apache server, then just enter "ALL:ALL" in /etc/hosts.deny and that's all you need.

My system is connected to Internet directly. I have forwarded one TCP and one UDP port. My DSL modem does not allow me to prevent inbound traffic by its firewall (it is not possible to forward ports for special IP addresses/subnets, ports are always open for all IPs for inbound traffic) This is the reason I removed default getaway in Arch and added two needed subnets (It helped me really. My system was overloaded with unwanted traffic. Now unwanted traffic flow is stopped)

ralvez wrote:

If you want to have ssh access to that box you can add the IP address of the machine you want to allow to connect to that box in /etc/hosts.allow

What do you mean by "ssh access to that box"?

ralvez wrote:

but if you want to "push" the boundaries any further I would add a firewall via IPTABLES

Yes, I want more security as possible but do I need it in my case? (I do not know)

zaozao · 2006-05-14 11:37:44

FUBAR wrote:

The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.

Do you mean the trick I use is not the best I can do in my situation?

FUBAR wrote:

Search the Wiki. Here's a link on how to set up a simple stateful firewall.

Is there complete Help File for Arch with tree for topics and search option and with tips (I do not need tips about what I can do in Arch. I need tips about how I must do thing in particular situation exactly)

Thank you all for your attention!

iphitus · 2006-05-14 11:43:47

zaozao wrote:

FUBAR wrote:
The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.
Do you mean the trick I use is not the best I can do in my situation?
FUBAR wrote:
Search the Wiki. Here's a link on how to set up a simple stateful firewall.
Is there complete Help File for Arch with tree for topics and search option and with tips (I do not need tips about what I can do in Arch. I need tips about how I must do thing in particular situation exactly)

That's exactly what the wiki is for:
http://wiki.archlinux.org/index.php/Category:HowTos

zaozao · 2006-05-14 15:53:48

iphitus wrote:

That's exactly what the wiki is for:
http://wiki.archlinux.org/index.php/Category:HowTos

May I download it on my PC as one file?

Thank you!

ralvez · 2006-05-14 18:19:38

zaozao,
In response to your questions:
If your system is connected to the Internet, you are connected to a network, one that is (in my opinion) far more dangerous than a LAN. Having said that, my statements still apply: If you have no services running there is very little anyone can do to "get to you".
The best way to confirm the status of your server in relation to the "rest of the world" is to use 'namp' or a service like this https://www.grc.com/x/ne.dll?rh1dkyd2 which is free but very good to assess your security level.

In security the first rule is "If you are unsure block it ... the is time to open it later if you realize you need it", so in that spirit you may as well use a firewall like "firestarter" (pacman -Sy firestarter) and from there on you KNOW that your workstation is secure.
Hope this helps.

Rick

zaozao · 2006-05-15 09:55:11

Thank you for resources listed.

As I cannot say exactly the two subnets needed are trusted at all I guess I need firewall.
I think it is possible to set rules to allow packets from forwarded ports only for application (service) listens to those ports and prevent packets go to other services in the system through those forwarded ports. I am thinking right?
I find out.

Please, tell me if I want to use iptables do I need to download some additional package as I have only Arch base installation? If so what is the link for the package?

Thank you!
Thank you for your attention!

And one Help File for Arch available for downloading is needed much!

FUBAR · 2006-05-15 12:34:36

zaozao wrote:

And one Help File for Arch available for downloading is needed much!

wget -r -np http://wiki.archlinux.org

zaozao · 2006-05-15 12:41:50

Please, some one tell me where can I download package containing iptables (I do not want big file download, only the minimum).

And which directory I have to put the package to install it with pacman -Sy iptables?

I do not want connect my Arch base installation to whole Internet, I want to download the package by windows and then get it in Arch trough CD or my own WEB.

Thank you!

zaozao · 2006-05-15 12:52:24

FUBAR wrote:

zaozao wrote:
And one Help File for Arch available for downloading is needed much!
wget -r -np http://wiki.archlinux.org

What is the file name at http://wiki.archlinux.org? (I want to download it with windows)

Thank you!

ralvez · 2006-05-19 01:20:13

Sorry zaozao I've been away for a few days.
Yes you can download iptabes with pacman -Sy iptables
but I think that if you do pacman -Sy firestarter it will automatically install iptables for you along with the firewall software.

Hope this helps.
Rick

byte · 2006-05-19 11:00:09

He's got a base installation with no internet access, so pacman -S won't help. It's already answered here.

ralvez · 2006-05-19 11:18:03

byte, I do not think he has no Internet access because on part of his original post he says:

My system is connected to Internet directly. I have forwarded one TCP and one UDP port. My DSL modem does not allow me to prevent inbound traffic by its firewall

Unless I missing something his concern with security has this root.

Arch Linux

#1 2006-05-12 11:53:17

Is more security needed with no default getaway?

#2 2006-05-12 12:39:50

Re: Is more security needed with no default getaway?

#3 2006-05-12 13:12:39

Re: Is more security needed with no default getaway?

#4 2006-05-12 15:02:35

Re: Is more security needed with no default getaway?

#5 2006-05-14 11:26:25

Re: Is more security needed with no default getaway?

#6 2006-05-14 11:33:33

Re: Is more security needed with no default getaway?

#7 2006-05-14 11:37:44

Re: Is more security needed with no default getaway?

#8 2006-05-14 11:43:47

Re: Is more security needed with no default getaway?

#9 2006-05-14 15:53:48

Re: Is more security needed with no default getaway?

#10 2006-05-14 18:19:38

Re: Is more security needed with no default getaway?

#11 2006-05-15 09:55:11

Re: Is more security needed with no default getaway?

#12 2006-05-15 12:34:36

Re: Is more security needed with no default getaway?

#13 2006-05-15 12:41:50

Re: Is more security needed with no default getaway?

#14 2006-05-15 12:52:24

Re: Is more security needed with no default getaway?

#15 2006-05-19 01:20:13

Re: Is more security needed with no default getaway?

#16 2006-05-19 11:00:09

Re: Is more security needed with no default getaway?

#17 2006-05-19 11:18:03

Re: Is more security needed with no default getaway?

Board footer