Re: Ports to block?

To: Cherubini Enrico <kevin@bestkevin.com>, debian-security@lists.debian.org
Subject: Re: Ports to block?
From: "Eric N. Valor" <eric.valor@lutris.com>
Date: Thu, 05 Apr 2001 15:30:28 -0700
Message-id: <4.3.2.7.2.20010405152512.038ed750@10.10.40.54>
In-reply-to: <20010406000933.B2217@bestkevin.com>
References: <3ACCD7D6.8080209@netlink.demon.co.uk> <Pine.LNX.4.21.0104051250560.29975-100000@xenophobe.freaks.com> <3ACCD7D6.8080209@netlink.demon.co.uk>


It's better to do it this way:

ipchains -P input DENY

ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT

. . . (acceptance rules)

ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above).

I also put other DENY statements on top of the last logging DENY for thingsI don't care to log. The syslog will fill up rapidly with insignificantcrap if you don't (I had my colo fill /var with sputter from amisconfigured router once).

The reason you start out with a DENY is so that there is no chance of apacket coming through before all of the chains are parsed. Also a goodidea is to build the chains before bringing up the interface(s).


Haphazard security is marginally second to no security at all.

At 12:09 AM 4/6/2001 +0200, Cherubini Enrico wrote:

Ciao,
 Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:

> It is most secure to block everything and only open the ports that are
> absolutely necessary.
ok, this is clear. What's the way you ppl do that throught ipchains/iptables
? Is it better to use the ACCEPT policy and then DENY all or use the DENY
policy and ACCEPT only ports needed ? I use the first 'cause so I can log
all packet that are denied...

# Start
ipchains -P input ACCEPT
....
ipchains -A input -j DENY -l
# End

--


Bye
                            +--------+ Maybe you are searching for freedom
                            | Enrico |    Maybe you can't find it anywhere
                            +--------+          I found it in linux.......

``I think he has a Napoleonic concept of himself and his company, anarrogance

    that derives from power and unalloyed success, with no leavening hard
 experience, no reverses,'' Judge Thomas Penfield Jackson says of Bill Gates.


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
eric.valor@lutris.com

- This Space Intentionally Left Blank -

Reply to:

References:
- Re: Ports to block?
  - From: Steve Ball <steve@netlink.demon.co.uk>
- Ports to block?
  - From: Brandon High <armitage@freaks.com>
- Re: Ports to block?
  - From: Cherubini Enrico <kevin@bestkevin.com>

Prev by Date: Re: Ports to block?
Next by Date: Re: Ports to block?
Previous by thread: Re: Ports to block?
Next by thread: Re: Ports to block?
Index(es):
- Date
- Thread