Re: IPChains help

To: <evz@streetcar.com>
Cc: "GLUG" <glug@linux.org.za>, "Debian-Security" <debian-security@lists.debian.org>
Subject: Re: IPChains help
From: Doug Alcorn <doug@lathi.net>
Date: 10 Apr 2001 20:08:02 -0400
Message-id: <871yr09u3h.fsf@home.lathi.net>
In-reply-to: "Eugene van Zyl"'s message of "Tue, 10 Apr 2001 14:59:14 +0200"
References: <OJEFLNJDBPDANNEDGCBOIEPDDKAA.evz@streetcar.com>

"Eugene van Zyl" <evz@streetcar.com> writes:

> What's wrong with the following ruleset that I can't do any DNS
> lookups from the firewallhost ?
> 
> $IPCHAINS -P input ACCEPT
> $IPCHAINS -P forward ACCEPT
> $IPCHAINS -P output ACCEPT

Maybe this is just for testing purposes, but the "best practices" say
to DENY by policy and then allow the stuff you want.

> $IPCHAINS -A input -s $Any -d $localnet -j DENY

really with your policy you have setup above, this is the only rule
that means anything.  All the others are just confirming policy.

I highly recommend _Linux Firewalls_ by Robert L. Zeigler (New Riders
press).  This book has saved my kiester several times.  Here's his
recommendation for dns client to server based on a DENY everything
policy.

ipchains -A output -i $ext_interface -p udp -s $your_ip_address
$unprivaleged_ports -d $nameserver_ip 53 -j ACCEPT

ipchains -A input -i $external_interface -p udp -s $nameserver_ip 53
-d $your_ip_address $unprivaleged_ports -j ACCEPT
-- 
(__) Doug Alcorn <doug@lathi.net> http://www.lathi.net AIM:lathinet
oo / PGP 02B3 1E26 BCF2 9AAF 93F1  61D7 450C B264 3E63 D543
|_/  If you're a capitalist and you have the best goods and they're
     free, you don't have to proselytize, you just have to wait.

Reply to:

Follow-Ups:
- Re: IPChains help
  - From: Stefan Schweizer <stefan@abyss.ath.cx>

References:
- IPChains help
  - From: "Eugene van Zyl" <evz@streetcar.com>

Prev by Date: Re: ip spoofing (httpd)
Next by Date: Logging practices (and why does it suck in Debian?)
Previous by thread: Re: IPChains help
Next by thread: Re: IPChains help
Index(es):
- Date
- Thread