General firewall question

If I have my iptables setup to not allow in any traffic originating
from the internet, do I need to worry about leaving the PC on and
connected 24x7? I realize there are possible holes, if I have a server
program running, but if I don't have any running and no ports allowed
in can I tell my paranoid network admin not to worry? Thanks!

I should also state that I'm aware of user applications, like the
browsers, have security problems. So let's just throw applications to
the side and say that if I turn on the PC enable the firewall and walk
away, can it be compromized just by sitting there? That is not my
plan, but that is the root of my question.

On Sun, 13 Mar 2005 16:09:14 -0800, awburton wrote:

> I should also state that I'm aware of user applications, like the
> browsers, have security problems. So let's just throw applications to
> the side and say that if I turn on the PC enable the firewall and walk
> away, can it be compromized just by sitting there?

If you "throw applications to the side", what is the point of being
connected?

That is not my
> plan, but that is the root of my question.

With all due respects, and maybe I didn't understand your messages, but,
....

either you should take full responsibility for the security of your system
yourself, or else you should find a way to work agreeably with whomever
has been assigned that responsibility.

On Sun, 13 Mar 2005 15:49:32 -0800, awburton wrote:

> If I have my iptables setup to not allow in any traffic originating from
> the internet,

_IF_ you truly do not allow "any traffic originating from the internet",
then of course you would not have any internet connection. Is that what
you meant to say?

> do I need to worry about leaving the PC on and connected 24x7?

Get a doctor's appointment and a prescription for zolof or some such
(sorry, no experience or expertise here). Or else smoke some Ganga or
drink lots of ethyl alcohol and your worry quotient will go way down.
Either you are connected or you are not connected. Which is it?

What do you know about what ports you have open? Have you done nmap scans
from outside? Do you have authority to do those. If so, why is your
provider paying a (another) network admin? Just take the job and salary
yourself and do it.

I
> realize there are possible holes, if I have a server program running,
> but if I don't have any running and no ports allowed in can I tell my
> paranoid network admin not to worry? Thanks!

You are welcome. A touch of paranoia is often useful in security issues.
Some people (maybe you) don't know that IM, VoIP and many other widely
used services are "servers". Are you expecting your "network admin" to be
responsible for keeping your system and link working and trouble-free? Or
can you cover that all by yourself?

> If you "throw applications to the side", what is the point of being
> connected?
>
> That is not my
> > plan, but that is the root of my question.
>
> With all due respects, and maybe I didn't understand your messages,
but,
> ...
>
> either you should take full responsibility for the security of your
system
> yourself, or else you should find a way to work agreeably with
whomever
> has been assigned that responsibility.

All I'm trying to do here is simplify the question. Basically, if I
have a properly configured firewall, and ignoring for the moment
vulnerabilities in user applications, are there anything other remote
access security issues to worry about?

> _IF_ you truly do not allow "any traffic originating from the
internet",
> then of course you would not have any internet connection. Is that
> what you meant to say?

The PC is still physically connect and I have out going traffic.

> A touch of paranoia is often useful

I appreciate you trying to help and I am probably being overly
paranoid, but question is strickly concerned with iptables.

> Some people (maybe you) don't know that IM, VoIP and many other
> widely used services are "servers".

I'm well aware of that and as I stated before "let's just throw
applications to the side". I mean that in terms of this question. Of
course I will be running programs and I'm aware of needing to maintain
them. I just don't have the experience with running IPTABLES. Before
I've always been behind a hardware firewall. In this situation I won't
have that.

Aaron wrote:
>>If you "throw applications to the side", what is the point of being
>>connected?
>>
>> That is not my
>>
>>>plan, but that is the root of my question.
>>
>>With all due respects, and maybe I didn't understand your messages,
>
> but,
>
>>...
>>
>>either you should take full responsibility for the security of your
>
> system
>
>>yourself, or else you should find a way to work agreeably with
>
> whomever
>
>>has been assigned that responsibility.
>
>
> All I'm trying to do here is simplify the question. Basically, if I
> have a properly configured firewall, and ignoring for the moment
> vulnerabilities in user applications, are there anything other remote
> access security issues to worry about?
>
Iptables is a very good firewall. It can be somewhat difficult to
configure. I well designed iptables configuration is quite safe -- but
as I said it is hard to configure. After you get a trial configuration
you should test it out 1) from outside and 2) from inside. The testing
can be tricky also.

It is my experience that people new to iptables do not do a very good
job with their first few (sometime many) trial configurations. If you
are new to iptables then you should expect that your first tries will
not be 24/7 secure. If you have the help of a seasoned administrator you
should ask that person for help and advice. Also, even if you have an
administrator be careful as even seasoned professionals sometime don't
get the configuration right the first time.

For your trial configurations I would suggest more rather than less
logging. Log not only denied but also initial allowed connections. Then
carefully review your logs while doing your testing. Once you get a
configuration your are happy with you can remove some of the 'allow'
logging. I usually log initial connections for ssh, and ftp as my site
does not have a lot of this traffic. I also have ssh and ftp
redistricted to specific users and force them to use strong passwords --
that is, regular users CAN NOT change their passwords!

As others have said many times in this group "security is a process".
You should revisit your security plans on a regular basis and
periodically do all the testing and monitoring of your logs again and
again. It is a lot of work but it seems to be necessary.

I hope this helped.

awburton@yahoo.com said:
>If I have my iptables setup to not allow in any traffic originating
>from the internet, do I need to worry about leaving the PC on and
>connected 24x7? I realize there are possible holes, if I have a server
>program running, but if I don't have any running and no ports allowed
>in can I tell my paranoid network admin not to worry? Thanks!

Well, iptables (or rather, the netfilter code in the kernel) is still
software, and software can have bugs. So, with a suitable bug in
netfilter it would be possible to mount some kind of attack (resource
consumption and perhaps kernel memory corruption come to mind) against
your machine.

So, it all depends on your level of paranoia.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha Laiho wrote:
> Well, iptables (or rather, the netfilter code in the kernel) is still
> software, and software can have bugs. So, with a suitable bug in
> netfilter it would be possible to mount some kind of attack (resource
> consumption and perhaps kernel memory corruption come to mind) against
> your machine.
>
> So, it all depends on your level of paranoia.
All routers have software or algorithms in them too. Even dedicated hard
coded logic like FPGA's etc. are still just as good as the algorithms
used, so if you want to be paranoid it is easy.

The netfilter/iptables code has been pretty good so far. The biggest
problems I've seen aren't with the code but with the configuration. Then
again if one wants to be paranoid, maybe the sun will explode or heck
how about those tidal waves:)