[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re[2]: firewall script fighting

At 07:28 PM 4/1/01 +0200, tim@atomstrahl.de wrote:
>the server is the router itself (potato). the router=server ist
>connected to the internet via isdn and i am on dynamic IP.
>RO> If it is the router itself, you need to be more specific than "nobody can
>RO> connect to my server". As I read your ruleset, you have not opened any
>RO> destination ports in the typical range (1-1024) for standard services. For
>RO> each service you want to make accessable, you need an input-chain rule
>RO> something like this:
>RO>     ipchains -A input -i $DEV_INET -p tcp -d a.b.c.d/32 443 -j ACCEPT
>hm, i thought i did open specific services, for example:
>#----- HTTP erlauben ----->
>ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y

Look at the input-chain rule first. It ACCEPTs traffic *from* port 80. If
you want to run a Web (http) server on your router (not a smart thing to do
in my opinion, but it's your LAN), you need to ACCEPT traffic *to* port 80.
Note that my example uses the -d flag, not the -s flag. Also, the "! -y"
option you use blocks initiation packets, accepting only reply packets (the
man page could explain this a bit more clearly, but it is there).

The outpur rule is irrelevent. It ACCEPTs traffic going *out* on the
external interface ($DEV_INET) to other sites (0/0).

>where $INET=, maybe this is my mistake. do i have to enter
>the real IP of the external interface? this would mean i have to reget
>my ip every time i reconnect to internet cause i am on dialup ?

This really depends on how much you want your firewall to protect you. You
can ACCEPT traffic on port 80 with any destination, and I can't immediately
see an added risk caused by that, but it does make your system more open.
But that is a different problem from the one you actually have, which is a
scrambling of the -s and -d flags.

[old stuff deleted]

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: