Post iptables rules in newsgroup, bad idea?

I was told in comp.os.linux.security that it's generally a bad idea to
post one's iptables rules list on Usenet, that it's a security risk.

I'm not doing anything fancy, just trying to lock down all access except
HTTP, SSH, and DNS, which I think is a pretty common thing for people to
be doing.

What could a bad guy learn from looking at my rule set?

Unless I'm REALLY missing something (no surprise!), I'd like to post my
rule set here for you experts to critic for me.

It's not a long rules list, currently about 80 lines including comments
but it will be shorter than that when I get done.

Any problem if I post it here, after I get done with it?

Re: Post iptables rules in newsgroup, bad idea?

C. J. Clegg wrote:
> I was told in comp.os.linux.security that it's generally a bad idea to
> post one's iptables rules list on Usenet, that it's a security risk.
>
> I'm not doing anything fancy, just trying to lock down all access
> except HTTP, SSH, and DNS, which I think is a pretty common thing for
> people to be doing.
>
> What could a bad guy learn from looking at my rule set?

He could find flaws in your ruleset and (try to) exploit them. However,
you can mitigate that risk (to a degree) by obfuscating or omitting
public IP addresses, or by posting only snippets from it. After all you
can't not post your ruleset if you want to discuss it. ^_^

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Post iptables rules in newsgroup, bad idea?

I agree, I don't think it is a problem to post it as long as you
change/remove any identifying information from them. I also suggest not
posting from a machine behind your firewall as it is quite easy to
determine from what IP the post was made hence negating much of your
work to hide your public IPs from the posted configs.


Ansgar -59cobalt- Wiechers wrote:
> C. J. Clegg wrote:
> > I was told in comp.os.linux.security that it's generally a bad idea to
> > post one's iptables rules list on Usenet, that it's a security risk.
> >
> > I'm not doing anything fancy, just trying to lock down all access
> > except HTTP, SSH, and DNS, which I think is a pretty common thing for
> > people to be doing.
> >
> > What could a bad guy learn from looking at my rule set?
>
> He could find flaws in your ruleset and (try to) exploit them. However,
> you can mitigate that risk (to a degree) by obfuscating or omitting
> public IP addresses, or by posting only snippets from it. After all you
> can't not post your ruleset if you want to discuss it. ^_^
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Re: Post iptables rules in newsgroup, bad idea?

On Fri, 03 Nov 2006, in the Usenet newsgroup comp.security.firewalls, in article
, C. J. Clegg wrote:

>I was told in comp.os.linux.security that it's generally a bad idea to
>post one's iptables rules list on Usenet, that it's a security risk.

As always, "that depends".

>I'm not doing anything fancy, just trying to lock down all access except
>HTTP, SSH, and DNS, which I think is a pretty common thing for people to
>be doing.

OK - DNS has to be on port 53, and is generally open to everyone. HTTP is
generally on port 80, and may or may not be open to everyone. SSH defaults
to 22. Who do you want to allow access to SSH? Everyone? (Why?) If so,
thats one problem. Specific individuals well known to you? If so, there
is nothing that absolutely requires SSH to be on port 22 (though moving it
may run into others firewall complications - some administrators only allow
outbound SSH to port 22). Also, there is rarely a valid reason to allow
access to your SSH server from everywhere. You say you're "not doing
anything fancy" - so you wouldn't be showing anything like portknocking
ports - so it boils down to showing what any skript kiddiez would be able
to find with a simple port-scan anyway.

As for the rest of the services, what can be so secret about '-j REJECT'?

>What could a bad guy learn from looking at my rule set?

If your rule set has errors, will someone tell you about it and you get it
fixed before some skript kiddiez can try to exploit the error?

>It's not a long rules list, currently about 80 lines including comments
>but it will be shorter than that when I get done.

80 lines? Probably not a problem - are the comments necessary for other
to understand something? But as you've also stated you are going to post
them to comp.os.linux.security, why not combine the posts by listing both
newsgroups (comma separated) in the newsgroup header, and perhaps include
a Followup-To: header - that way you're going to waste a bit less bandwidth.

>Any problem if I post it here, after I get done with it?

If you've moved a service to a different port, you need not show the "real"
port it's been moved to. If you are restricting access to certain IP ranges,
you might consider showing those as RFC3330 ranges - 192.0.2.0/24 is often
used for that, 198.18.0.0/15 is another, but there are still whole /8s that
IANA hasn't released - see http://www.iana.org/assignments/ipv4-address-space

Old guy

Re: Post iptables rules in newsgroup, bad idea?

On Fri, 03 Nov 2006 18:48:23 +0000, Ansgar -59cobalt- Wiechers wrote:

> After all you
> can't not post your ruleset if you want to discuss it. ^_^

Right. :-)

OK, please see the new "Sample iptables rules list, inviting your
suggestions / criticisms" thread ... thanks. :-)

Re: Post iptables rules in newsgroup, bad idea?

On Sat, 04 Nov 2006 14:00:55 -0600, Moe Trin wrote:

> 80 lines? Probably not a problem - are the comments necessary for other
> to understand something? But as you've also stated you are going to post
> them to comp.os.linux.security, why not combine the posts

Good afternoon, Moe.

I figured the comments would be helpful so that others can understand my
intent and tell me how my dumbo attempts to achieve that intent are doomed
to failure. :-)

As for posting in c.o.l.s, I guess I should have done that in the manner
you suggest, but for now I've just posted it here.

It ended up a shade over 80 lines (134 lines actually) with some added
comments; it's in the new "Sample iptables rules list, inviting your
suggestions / criticisms" thread. Hope it didn't get thoroughly trashed
by newsreader reformatting... :-(