On several server systems, I encountered two dominant styles of
iptables firewall configurations:
The first one is blocking every
INPUT except the ports of provided services like HTTP.
The second one is blocking every
INPUT except packets for connections in
NEW state for several services, with elaborate settings and all packets for connections in
ESTABLISHED state. It is also blocking all
OUTPUT packets except those of connections in
What kind of security does the latter provide that the first simple solution does not manage?
Of course it may be useful to block users using outgoing ports for their reason, but if I do not need to protect the server from it’s own users, but only from outside threats, are both methods identical, or will the second still provide benefits?
The first type of firewall you have described is stateless. It is simplistic and does not keep track of connections; it just checks the given rules as fast as it can. This is not generally recommended anymore except in circumstances where firewall performance is a significant bottleneck, as it allows significantly more traffic than is obvious from first glance. Particularly, traffic which isn’t associated with a legitimate connection can pass through such a firewall.
The second type of firewall is stateful. It is capable of tracking connection states, determining whether a particular packet is associated with a known-good connection, and accepting or rejecting it. It is much better at catching invalid traffic than a stateless firewall. Without some overriding concern, all firewalls should be stateful for maximum possible security.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.