[linux-help] Re: ipchains question

[Jeff Vian <jvian10@xxxxxxxxxxx>]

Benjamin Bunck wrote:
> 
> On Fri, 22 Mar 2002, Jeff Vian wrote:
> 
> >
> > Benjamin Bunck wrote:
> > >
> > > I'm setting up an ipchains firewall, and I am trying to make it somewhat
> > > restrictive by default.  Here is my question:
> > >
> > > If I make a blanket statement like:
> > >
> > > ipchains -A input -i $extint -s 0.0.0.0/0 -d 0.0.0.0/0 -l -p tcp -j DENY
> > >
> >
> > this blocks all tcp incoming from anywhere to anywhere.
> >
> > Instead, set a default policy to deny on the input chain and add an
> > explicit rule allowing you to connect to anywhere. and maybe a few to
> > allow specified hosts to connect to your box from the outside.
> >
> >   ipchains -P input DENY
> >   ipchains -A input -s trusted.host -d your.ip.address -j ALLOW
> >   ipchains -A output -s 192.168.1.1/24 -j ALLOW
> >
> 
> I like this idea, except don't I still have to be able to accept packets
> on the input chain for all of the web/ftp servers I connect to?  If so, I
> don't know if it would be efficient for me to add them to my script on a
> per-host basis.
> 
> Thanks again,
> 
> Ben
> 
> >
> > > which blocks all incoming tcp packets, I lose all tcp network
> > > functionality.  From what I understand (please correct me if otherwise) ,
> > > this is simply because blocking all tcp packets from the input chain
> > > prevents any of my tcp requests (say, ftp'ing to kernel.org) from
> > > recieving a response.
> > >
> > > So my question is this:  Is it enough to block *only* tcp packets with the
> > > syn bit set, and accept *all* other tcp packets?  My logic behind this is
> > > as follows:  If badguy wants to connect to my box, he needs to send a tcp 
> > > syn
> > > packet to request the connection (which I'll deny).  However, I am free to
> > > make any connections to the world at large, since the only tcp packets
> > > that I get back are without the syn bit set (ie, responses to an already
> > > open connection).  However, if my logic is somehow wrong, or if this
> > > would make me more susceptible to other problems, I'd like to know.
> > >
> > > Thanks,


NO.
The link originates from you, thus it is an output connection and the
input rule does not apply.
The input rule applies to any connection that originates outside your
system.


> > >
> > > Ben
> > >
> > > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi