Unix security: Difference between revisions

[[netfilter]] provides a state-full packet filter which can be configured according to [[Network card|network interface]], [[Internet Protocol|protocol]], [[IP address|source and/or destination address]], [[IP port|source and/or destination port]] and the state of the packet. A network packet traverses several ''chains'' between the time it is received by a network interface and the time it is accepted by the host or forwarded to another host. The common chains are '''{{mono|INPUT'''}}, '''{{mono|OUTPUT'''}} and '''{{mono|FORWARD'''}}. The '''{{mono|INPUT'''}} ''chain'' is traversed for all packets as they are received by a network interface, regardless of whether they are to be accepted by the host or forwarded to another host. The '''{{mono|OUTPUT'''}} ''chain'' is traversed for all packets as they are transmitted by a network interface. The '''{{mono|FORWARD'''}} chain is traversed for those packets are being routed through the host from one network interface to another, such as is the case for a multi-homed system (a system with more than one physical network interface).

Each of the built-in chains has a default ''policy'' which defines what action is taken for a packet which reaches the end of the chain. Packet traversal ends when a ''rule'' matches the packet and has an action of '''{{mono|ACCEPT'''}}, '''{{mono|DROP'''}}, '''{{mono|REJECT'''}} or '''{{mono|RETURN'''}}.

The following example shows a simple packet filter for the '''{{mono|INPUT'''}} chain for the above described example:

The addition of an explicit '''{{mono|DROP'''}} action ensures that the packets are discarded should the default policy of the '''{{mono|INPUT'''}} chain accidentally be changed to '''{{mono|ACCEPT'''}}.

There is less need for an '''{{mono|OUTPUT'''}} chain and the default ''policy'' of the '''{{mono|OUTPUT'''}} chain can safely be set to '''{{mono|ACCEPT'''}}. In some instances it may be desirable for a firewall to limit certain outgoing connections to a certain set of approved systems. This is known as [[egress filtering]] and may be used to prevent viruses within the firewall from escaping to other systems. For example, it may be the policy of a network to limit outgoing email connections to a single authorized email servers as a way of combating [[e-mail spam]]. This could be achieved by the following example:

There is no need to include any other rules in this example as the default policy for the '''{{mono|OUTPUT'''}} chain is '''{{mono|ACCEPT'''}}. This rule assumes that the host which is acting as the firewall will not be sending email itself, such as to the email server. This is a good assumption as typically a firewall system contains the minimal amount of system code needed to act as a firewall.

A more restrictive '''{{mono|OUTPUT'''}} chain would contain permissive ('''{{mono|ACCEPT'''}}) entries for those services which may be accessed outside the firewall and then a restrictive ('''{{mono|DROP'''}}) policy for the chain itself.