Re: blocking ports
> I want to block certain services for the outside world (like lpd etc) but NOT for the inside network
> I thought I could block it with ipchains -A input -p tcp -d xxx.xxx.xxx.xxx 515 -j DENY
> But if I telnet from a outside host to that port I can still connect
This is odd. You shouldn't be. Are you trying to just protect a single
host or a complete subnet ? If it is the latter, be aware that you
need to specify the netmask along with the network.
i.e: 'ipchains -d 220.127.116.11/255.255.255.0 515 -p tcp -j DENY'
to block all traffic to lpd daemons on the network. (btw... you can also
use 24 instead of 255.255.255.0).
Be also aware of the -i switch of ipchains which allows you to specify
which interface the rule is applied on. This will make it easier for
you to change incoming traffic from the outside world.
> Well I think thats because the INPUT policy is ACCEPT (I think change that to DENY is rather not a good idea)
I'd also like to suggest that you reconsider changing your default
policy to DENY to strengthen your network security. Fail-open approaches
> Is there another solutions for this ?
Hope I was of any help
PGP key fingerprint: 2048/46C772078ACB58DEF6EBF8030CBF1724