Firewalls Part 2
So what can you do to set up a firewall in a more intelligent way? First thing is, just like in coding, use some comments and documentation. If you're blocking a host or adding a special allow rule for something, it never hurts to have a little note explaining why. I'm going to go about this in what might be a round about sort of way.
First, like in good programming it's nice to have single entry points and single exit points. IPTables makes this very easy. I use a table named "KILLED" and any traffic I wish to be blocked or some how altered in a negative way I send to this table.
/sbin/iptables --flush KILLED
/sbin/iptables -N KILLED
/sbin/iptables -I KILLED -j DROP
/sbin/iptables -I KILLED -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -I KILLED -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -I KILLED -j LOG --log-prefix "firewall killed "
This creates a new table named "KILLED". The first rule I insert into it, which is the final rule in the table is to drop everything. It's kind of a safety. The rules that are inserted before it (which then run before it) do rejects. Personally, I am a strong believer that you should properly terminate traffic that you reject. When TCP traffic is dropped, the client machine continues to follow to TCP protocol and do retries which creates more traffic for you to drop. There may be other upstream devices that maintain state and so it's nice to be a good network citizen. I also think that DROPs do nothing to actually increase security or deny the existence of a device, you might be able to make some sort of argument but I equate it to security through obscurity.
So anywhere you wish to deny traffic, jump it to the "KILLED" chain and then it will be properly terminated and a log message will be created which is kind of nice for a security device.
