Default firewall settings discussion


the default firewall settings are that INPUT accepts only established connections.

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Question 1. I think that the settings are already secure. Could you provide a counter-argument when this firewall rule would fail to prevent malicious traffic to enter?

Question 2. If I would want to limit INPUT ports, first I would comment out the mentioned rule. Could you provide an example rule pair to allow INPUT and OUTPUT for a certain port. Consider an HTTP 80 port as an example.

This isn’t Qubes specific in any way. Still, it’s a holiday, (Happy
Christmas, by the way.)

  1. There was an open issue many years ago about the use of “RELATED”
    ESTABLISHED connections are part of a connection stream.
    RELATED are where a packet is associated with, but not part of, an
    existing connection - like in an FTP transaction.
    To keep track of these connections, the network streams have to be
    parsed within the kernel - these are complex modules (which I think are
    blacklisted in Qubes).
    So there is a risk in using this sort of rule - there are network attacks
    which attempt to overload connection tracking, or subvert the tracking

  2. Don’t comment out that rule.
    Insert a rule ahead of it in the processing stream. For iptables,
    iptables -I INPUT -p tcp --dport 80 -j ACCEPT

That specifies the protocol (tcp), and the destination port (80), to
allow traffic inbound.
No need for anything in OUTPUT - by default it’s wide open. (I don’t
like this and change this behaviour.)

1 Like

This topic can go on forever! All my non Qubes HVM’s have Firewalld with rudimentary traffic analysis. I think Whonix has some contraption too and Patrick is involved with a proprietary project firewallVM. I’m sure you can find this if you search hard and smart enough.

1 Like