“I rebuilt my gateway server, and decided to go gung-ho when
it came to firewalling – a default deny policy for input, output
and forward chains. Needless to say, this breaks a lot of
things. Well, it breaks basically everything, until you start
putting in rules to allow packets through. Using a default deny
policy in Linux is tricky because the firewall in kernel 2.2 is not
stateful. (It is stateful in 2.4, but that is still in a test
series and several months off from release.) With a stateful
firewall you can make simple rules: “If you see an outgoing
connection, let the incoming packets associated with it through.”
If your firewall is not stateful, you will have to create many
rules to allow services to work for clients. This can be annoying
if you really want to lock your firewall down. Here’s what it comes
down to: Creating a really tight firewall in Linux is a pain.”
“But all is not lost. Several tips and tricks can aid you in
creating a tight firewall. The first trick looks at the local port
numbers that the system uses for outgoing connections. All TCP
connections have a source port and address, and a destination port
and address. If you want to control which ports connections are
allowed to go out on – and thus the incoming packets you will need
to allow in – you must know the port range. Otherwise, to let
connections out and the reply data back in, you’ll need to allow
all the ports in, 65,535 of them.”