Your dumbest firewall rule

[NodeBytes]

Soooo... we all have that one firewall rule that just makes things work but is insanely stupid/insecure. What's yours?

 

[Francisco]

iptables -P INPUT DROP

Fuuuuuuuuuuuuuuuuuuuuuuuuuuuu-

Francisco

 

[Sunshine]

We do? :blink:

 

[jarland]

Soooo... we all have that one firewall rule that just makes things work but is insanely stupid/insecure. What's yours?

iptables -I INPUT -p udp -j ACCEPT

 

[MannDude]

Whats a firewall?

I see server security like I see locking a car. I don't want someone to bust out my window just to steal the change in the cup holders. So I just leave it unlocked...

Haha, I kid I kid.

 

[Slownode]

80 to 8080


443 to 8090


22 drop


Something to 22


Every server of mine.

 

[drmike]

I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.

 

[Shados]

I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.

Maybe try ferm? It's pretty cool from what I've seen.

 

[raindog308]

I think all firewall rules are semi dumb --- as is default prodding of them as needed.

Iptables while powerful isn't exactly a great manageable heap... Guess I need to spend more intimate time with it or find a better management front end for iptables.  Recommendations.

When I ran a cpanel server, I found ConfigServer Firewall to be super-awesome.  Every few hours I got an email stating "detected brute force from X.X.X.X/CN, blocked".  It analyzed failed logins, brute-forces, too many apache connections, etc. and inserted an iptables rule.

There are other packages that do this as well - fail2ban - but CSF was nice because it plugged into cpanel.

I find the utility of firewalls increases with the number of users.  If it's a VPS and I'm the only user - probably not much value because I'm running a few services on oddball ports and I'm not likely to start up any others.  Then again, apt-get the wrong Debian package and you can find yourself serving samba to the Internet, so...

 

[NodeBytes]

I'm running a hardware firewall. I still run IPTables on pretty much all the VM's, I strongly dislike IPTables.

 

[DalComp]

This kind of "hardware" firewall, I am sure my servers are secure.

 

[WebSearchingPro]

yum erase iptables

 

[Deleted]

Blocking ICMP completely is one the more silly ones I used to do, until I realize PMTU and others require working ICMP. 

 

[NodeBytes]

@Monkburger - Yeah, I just set limitations on ICMP so you get dropped if you ping or traceroute my server too much.

 

[wlanboy]

Soooo... we all have that one firewall rule that just makes things work but is insanely stupid/insecure. What's yours?

1. Apply all rules
2. Test them
3. Check that nothing is working
4. Check everything & redeploy
5. Test them again
6. Check that nothing is working again
7. Flip the table for fun
8. Realize that you used "venet0" as device name on your sole KVM vps...

 

[rsk]

service iptables stop ... intentionally.