Re: IPChains help
"Eugene van Zyl" <evz@streetcar.com> writes:
> What's wrong with the following ruleset that I can't do any DNS
> lookups from the firewallhost ?
>
> $IPCHAINS -P input ACCEPT
> $IPCHAINS -P forward ACCEPT
> $IPCHAINS -P output ACCEPT
Maybe this is just for testing purposes, but the "best practices" say
to DENY by policy and then allow the stuff you want.
> $IPCHAINS -A input -s $Any -d $localnet -j DENY
really with your policy you have setup above, this is the only rule
that means anything. All the others are just confirming policy.
I highly recommend _Linux Firewalls_ by Robert L. Zeigler (New Riders
press). This book has saved my kiester several times. Here's his
recommendation for dns client to server based on a DENY everything
policy.
ipchains -A output -i $ext_interface -p udp -s $your_ip_address
$unprivaleged_ports -d $nameserver_ip 53 -j ACCEPT
ipchains -A input -i $external_interface -p udp -s $nameserver_ip 53
-d $your_ip_address $unprivaleged_ports -j ACCEPT
--
(__) Doug Alcorn <doug@lathi.net> http://www.lathi.net AIM:lathinet
oo / PGP 02B3 1E26 BCF2 9AAF 93F1 61D7 450C B264 3E63 D543
|_/ If you're a capitalist and you have the best goods and they're
free, you don't have to proselytize, you just have to wait.
Reply to: