morning thoughts on firewall

[Marco Bonetti]

hi!
Last time I help to install an ubuntu on friends' computers I was
asked about the presence of a firewall.
I answered as in the faq: "there is a firewall, but it isn't
configured because you do not need it", my friend was a bit surprised
and he pointed out that os x and windows have a configured firewall.

Maybe adding a default and simple firewall configuration will be more
interesting for new users: probably they don't care about the rules,
but they surely care about the presence or not of them.

So, I start thinking about a possible configuration to work on (just
brainstorming, this script is awful and takes care only of lo and
eth0):
-8<-
#!/bin/sh
# Cleaning default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

# Droppping unclean packets (do we need it?) -- remember to insmod ipt_unclean
#/sbin/iptables -A INPUT -m unclean -j DROP

# Enabling loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Accepting our ingoing connections
/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Dropping malformed icmp packets
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -m length
--length 128:65535 -j DROP

# Accepting our outgoing connections
/sbin/iptables -A OUTPUT -o eth0 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
-8<-

Then another 2 problems came up: what to do when the user installs
some kind of service or wants to work out a custom policy?
Maybe init.d scripts could be modified to open their needed ports when
"start" is called and iptables could be linked, so chmodding +x/-x the
link will enable/disable this "automagic" stuff.

Whoa! end of my morning thoughts... what do you think?

ciao