[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking ports



> [...]
> I want to block certain services for the outside world (like lpd etc) but NOT for the inside network
> I thought I could block it with ipchains -A input -p tcp -d xxx.xxx.xxx.xxx 515 -j DENY
> But if I telnet from a outside host to that port I can still connect

This is odd. You shouldn't be. Are you trying to just protect a single
host or a complete subnet ? If it is the latter, be aware that you
need to specify the netmask along with the network.
i.e: 'ipchains -d 1.2.3.0/255.255.255.0 515 -p tcp -j DENY'
to block all traffic to lpd daemons on the network. (btw... you can also
use 24 instead of 255.255.255.0).
Be also aware of the -i switch of ipchains which allows you to specify
which interface the rule is applied on. This will make it easier for
you to change incoming traffic from the outside world.

> Well I think thats because the INPUT policy is ACCEPT (I think change that to DENY is rather not a good idea)

I'd also like to suggest that you reconsider changing your default
policy to DENY to strengthen your network security. Fail-open approaches
are *bad*.

> Is there another solutions for this ?
 
Hope I was of any help

Cheers,
-Ralf

--
PGP key fingerprint: 2048/46C772078ACB58DEF6EBF8030CBF1724




Reply to: