[lug] Why Do I Need a Firewall?

Ben Whaley bwhaley at gmail.com
Wed Oct 3 19:49:12 MDT 2007


Here's a scenario in which iptables will help.

Imagine you have a web application running that accepts file uploads
and executes system commands (phpMyAdmin does this, for example). This
particular app is bad at doing input validation and has a number of
vulnerabilities. Bad Guy uploads his remote shell program, then
convinces the app to start the remote shell. The remote shell has to
listen on some port other than those already in use (80,443,21,22 in
your case). If iptables is set up properly, the port that Bad Guy's
shell is listening on (say 9000) won't be accessible. The web server
is running as an unprivileged user so it can't make changes to the
firewall config to allow him access to the port.

Certainly the insecure web application introduces myriad other ways to
abuse the system, but just for discussion this is one place where
iptables comes in handy.

- Ben

On 10/3/07, Rob Nagler <nagler at bivio.biz> wrote:
> Bill Thoen writes:
> > simple set up, why do I need a firewall and what should I set it to filter?
>
> Security is always difficult to assess with so little information.  My
> thinking is: iptables is trivial to set up, and the cost of an attack
> is very expensive.  The likelihood of a successful attack is extremely
> low, but iptables lowers it even more, probably to an epsilon where
> you don't need other measures, such as auditing and (shudders)
> SELinux. :-)
>
> Rob
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>



More information about the LUG mailing list