[TriLUG] host-based dynamic app/port firewall?

matt at noway2.thruhere.net matt at noway2.thruhere.net
Wed Oct 24 09:32:30 EDT 2012


I concur with Aaron on this one.  There is no absolute need to have a
firewall in addition to a closed port by virtue of no application
listening.  I like to think of the firewall as an added wrapper of
protection that keeps ports from being inadvertently opened rather than an
absolute must for protection.

That being said, if you want something to dynamically alter the firewall,
I would try writing a set of firewall scripts that adjust things as
desired and call it from the application startup script using
iptables-restore.  For example: "iptables-restore << apache_rule_script" 
Of course any firewall changes need to be executed with root privilege,
but so do the daemon process starts that your performing.

> At 00:57 -0400 24 Oct 2012, Kevin Hunter <hunteke at earlham.edu> wrote:
>>Or, since no application would be listening on a port, is it a complete
>>non-issue?  (For example, if Apache is disabled, and since nothing else
>>should be listening on port 80, does it amount to the same thing as if
>>there were a firewall rule denying access?)
>
> I really don't see any reason to try to do that type of dynamic firewall
> rule.  If a port isn't being used, the kernel will already reject
> incoming packets to that port.  Someone running nmap against the box
> would be able to tell the difference between a port being blocked by a
> standard firewall drop or reject rule and a port that isn't being
> listened to.  But the non-firewalled port would likely be seen as more
> of a reason to give up.
>
> A firewall for a single machine is generally used either to provide
> better access control or to prevent access to services that aren't
> intended to be provided.  Both of those can be handled by static
> firewall rules that allow access to the necessary ports even when
> nothing is listening on them.
> --
> This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	:
> http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>




More information about the TriLUG mailing list