[linux-help] ipchains question
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
I'm setting up an ipchains firewall, and I am trying to make it somewhat
restrictive by default. Here is my question:
If I make a blanket statement like:
ipchains -A input -i $extint -s 0.0.0.0/0 -d 0.0.0.0/0 -l -p tcp -j DENY
which blocks all incoming tcp packets, I lose all tcp network
functionality. From what I understand (please correct me if otherwise) ,
this is simply because blocking all tcp packets from the input chain
prevents any of my tcp requests (say, ftp'ing to kernel.org) from
recieving a response.
So my question is this: Is it enough to block *only* tcp packets with the
syn bit set, and accept *all* other tcp packets? My logic behind this is
as follows: If badguy wants to connect to my box, he needs to send a tcp syn
packet to request the connection (which I'll deny). However, I am free to
make any connections to the world at large, since the only tcp packets
that I get back are without the syn bit set (ie, responses to an already
open connection). However, if my logic is somehow wrong, or if this
would make me more susceptible to other problems, I'd like to know.
Thanks,
Ben
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
- [linux-help] ipchains question,
Benjamin Bunck <=
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/22
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/22
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/25
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/25
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/26
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/26
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/27
- [linux-help] Re: A meeting place to have activities, Anne McCadden, 2002/03/31
|
|
