0

If I had a typical home user machine (google, email, youtube, no ssh/ftp, etc...) that had a dynamic iptables white-list that was dynamically updated with IP addresses that have been legitimately been launched and blocked all others...would this be practical?

For example, unless I have connected to IP: x.x.x.x on Port YY, then any incoming communication with x.x.x.x is automatically blocked?

userJoe
  • 83
  • 1
  • 9
  • Are you talking about very simple port knocking? What sdo you mean by "IP addresses that have legitimately been launched"? – Out of Band Mar 05 '17 at 21:00
  • Sure- if you port knock me, I want you to be blocked. Unless I contacted you previously, I don't want you talking to me. "Legit" can be defined as various things, but say launched with an associated PID from my machine. – userJoe Mar 05 '17 at 21:01
  • Well, if your server won't talk to any IP it hasn't previously connected to, how do you ever get to talk to the server as a client? Usually it's the client that initiates communication, not the server. – Out of Band Mar 05 '17 at 21:10
  • this was hypothetical so maybe calling it a server was a bad idea. What if this was a home-users machine on a small home network. Would this be a decent way to protect the box from attacks from stopping recon against it? – userJoe Mar 05 '17 at 21:14

1 Answers1

5

Assuming that your side initiates every communication, then yes, blocking every connection to your machine from IP addresses you didn't connect to is a good idea.

But note that this is firewall basics. Most client-side firewalls don't allow any incoming connections initiated from a remote machine unless you specificallly allow them. They do more than you imagine, too - they keep track of active tcp sessions and only allow packets from ips that are in an active session with you. Once the session ends, packets from that IP will be blocked again.

If you're talking about a home network, then the firewall should run either on or right behind your internet router, eg the box providing you with internet access. If you don't allow any connection initiated from the outside, the devices on your home network are much better isolated from the internet.

Usually broadband internet providers give you a box which has such firewalling capabilities. They might or might not be enabled, but it's usually trivial to configure.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • I am glad I was not the only one thinking that sounded a lot like a stateful firewall. I would maybe add that if you can, this is something you could also enable on each client - I agree a central firewall is the logical point to do this for a network, but personally, I would likely also have such a policy on machines on the network. I might also consider blocking some outbound traffic from clients, for example SMTP. – iwaseatenbyagrue Mar 06 '17 at 14:56
  • for sure- I'm def no firewall wiz so I have it on my todo list to look into more deep packet inspection and advanced firewalls. I wanted to see if I could write something up that would attempt to prevent attacks against my local machine. thanks guys! – userJoe Mar 06 '17 at 21:55