[linux-help] Re: ipchains question
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Fri, 22 Mar 2002, Jeff Vian wrote:
>
> Benjamin Bunck wrote:
> >
> > I'm setting up an ipchains firewall, and I am trying to make it somewhat
> > restrictive by default. Here is my question:
> >
> > If I make a blanket statement like:
> >
> > ipchains -A input -i $extint -s 0.0.0.0/0 -d 0.0.0.0/0 -l -p tcp -j DENY
> >
>
> this blocks all tcp incoming from anywhere to anywhere.
>
> Instead, set a default policy to deny on the input chain and add an
> explicit rule allowing you to connect to anywhere. and maybe a few to
> allow specified hosts to connect to your box from the outside.
>
> ipchains -P input DENY
> ipchains -A input -s trusted.host -d your.ip.address -j ALLOW
> ipchains -A output -s 192.168.1.1/24 -j ALLOW
>
I like this idea, except don't I still have to be able to accept packets
on the input chain for all of the web/ftp servers I connect to? If so, I
don't know if it would be efficient for me to add them to my script on a
per-host basis.
Thanks again,
Ben
>
> > which blocks all incoming tcp packets, I lose all tcp network
> > functionality. From what I understand (please correct me if otherwise) ,
> > this is simply because blocking all tcp packets from the input chain
> > prevents any of my tcp requests (say, ftp'ing to kernel.org) from
> > recieving a response.
> >
> > So my question is this: Is it enough to block *only* tcp packets with the
> > syn bit set, and accept *all* other tcp packets? My logic behind this is
> > as follows: If badguy wants to connect to my box, he needs to send a tcp
> > syn
> > packet to request the connection (which I'll deny). However, I am free to
> > make any connections to the world at large, since the only tcp packets
> > that I get back are without the syn bit set (ie, responses to an already
> > open connection). However, if my logic is somehow wrong, or if this
> > would make me more susceptible to other problems, I'd like to know.
> >
> > Thanks,
> >
> > Ben
> >
> > -- This is the linux-help@xxxxxxxxx list. To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> -- This is the linux-help@xxxxxxxxx list. To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
- [linux-help] ipchains question, Benjamin Bunck, 2002/03/22
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/22
- [linux-help] Re: ipchains question,
Benjamin Bunck <=
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/25
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/25
- [linux-help] Re: ipchains question, Jeff Vian, 2002/03/26
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/26
- [linux-help] Re: ipchains question, Benjamin Bunck, 2002/03/27
- [linux-help] Re: A meeting place to have activities, Anne McCadden, 2002/03/31
|
|
