Tight firewall settings? (I50external.rul)
Hi,
I've just set up my firewall settings. I think they're already pretty
tight, but I'd like to make them as tight as possible without breaking
things.
There is one line in I50external.rul that I don't fully understand. If I
remove that line I can't get into the internet anymore. This is the
config file, the questionnable line is the last one:
# Allow only some packets from external hosts to ports 0..1023
$IPCHAINS -A input -j ACCEPT -i $i -p TCP -d $IPOFIF/32 ftp
$IPCHAINS -A input -j ACCEPT -i $i -p TCP -d $IPOFIF/32 ftp-data
$IPCHAINS -A input -j ACCEPT -i $i -p TCP -d $IPOFIF/32 ssh
$IPCHAINS -A input -j ACCEPT -i $i -p UDP -d $IPOFIF/32 ssh
$IPCHAINS -A input -j ACCEPT -i $i -p TCP -d $IPOFIF/32 smtp
$IPCHAINS -A input -j ACCEPT -i $i -p TCP -d $IPOFIF/32 www
$IPCHAINS -A input -j ACCEPT -i $i -p UDP -d $IPOFIF/32 www
$IPCHAINS -A input -j ACCEPT -i $i -p UDP \
-s safe.host.de -d $IPOFIF/32 snmp -l
$IPCHAINS -A input -j ACCEPT -i $i -p UDP \
-s safe.host.de -d $IPOFIF/32 snmp-trap -l
$IPCHAINS -A input -j ACCEPT -i $i -p UDP \
-s safe.host.de -d $IPOFIF/32 syslog
# Deny packets to ports 0..1023 that haven't been explicitly
# allowed in previous rules
$IPCHAINS -A input -j DENY -i $i -p TCP -d $IPOFIF/32 0:1023
$IPCHAINS -A input -j DENY -i $i -p UDP -d $IPOFIF/32 0:1023
# Allow all remaining packets from external hosts to firewall host
# that haven't been matched by a previous rule
#
$IPCHAINS -A input -j ACCEPT -i $i -d $IPOFIF/32
My default policy is to "DENY" everything.
Why do I need the last line?
Thanks,
Ralf
--
Sign the EU petition against SPAM: L I N U X .~.
http://www.politik-digital.de/spam/ The Choice /V\
of a GNU /( )\
Generation ^^-^^
Reply to: