After beating on my machine for a few days, I finally have it to a point where I can conect to the internet. Right now the only service I have running that seems to need a port is my email(exim). I read through the HOWTO on ipchains and put together a very basic firewall while I'm on the net grabbing other packages.

I looked into pmfirewall last night and had it help build a rules file for me. After review of this list, I see that my own basic ipchains is grossly inadequate... or is it?

If I'm running other security programs like Tripwire and Portsentry for example, how specific does my ipchains firewall have to be??

thanks
- cotfessi

The packets will be handled first by IPCHAINS, then by PortSentry. This means that what IPCHAINS allows through will be examined by PortSentry. Since PortSentry is mainly used to counter port-scans, if you close those ports via IPCHAINS then you reduce the ffectiveness of PortSentry.

If you want both IPCHAINS and PortSentry to work together then IPCHAINS should be configured to not interfere with PortSentry.

A simple example: make IPCHAINS log all access to priveleged ports, turn off services on those ports, then setup PortSentry to listen on those ports. This way IPCHAINS will log one-time access to your priveleged ports and PortSentry will drop the source if the accesses turn out to be port scans.

Hope this helps.

Good Luck!

You can't really say that the less rules you have on ipchains, means that it's less secure, and the more rules you have means it's more secure. It depends on _what_ rules you're using. If you have a 3 line ipchains rule that denies all incoming packets, then that's pretty secure on it's own. See what I mean?

As for Tripwire, well... that's _after_ you get cracked into. And hopefully you keep your tripwire database in a separate medium, otherwise the cracker could modify or delete it anyway.

thanks for the responses... but I'm a little fuzzy on the first response. Does that mean that Portsentry will act somewhat as a replacement for my ipchains? I understand that if I turn off port 23 at the ipchains level and Portsentry is set to look at port 23, Portsentry will never find anything.

p.s. as an aside, i planned on storing my tripwire stuff on a zip disk...

Get unchained from your ipchain problems!

Here is AN OUTSTANDING FAST PORTABLE KICKA$$ ipchains primer from SANS. Pick and choose what you need 2 use.
http://www.sans.org/infosecFAQ/blocking_ipchains.htm

BTW - i just tested the link (11:37 AZ Time) and it works....I'm not a lame linker. This is not so much a primer as a pretty good template for expansion, etc. promise it's worth the time and caffeine to pour over.

Cheers!

[ 02 February 2001: Message edited by: whiterabbit ]

thanks for the link. That's the best info that I've read on the firewall/ipchains thing.

You are quite welcome, I read books, FAQ's, bit the heads off live chickens, etc. all to understand what that puts soooo eloquently and quickly.

Happy Firewalling!
Cheers! :)