Re: firewall conceptual question

To: Matthew Garman <garman@uiuc.edu>, Netfilter <netfilter@lists.samba.org>, Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Re: firewall conceptual question
From: Jörgen Johansson <juggej@telia.com>
Date: Sun, 22 Jul 2001 21:06:56 +0200
Message-id: <[🔎] 01072221065601.01067@maribo.beer.lnx>
In-reply-to: <[🔎] 20010722133311.A22904@uiuc.edu>
References: <[🔎] 20010722133311.A22904@uiuc.edu>

On Sunday 22 July 2001 20:33, Matthew Garman wrote:
> In most documents I've read about building a firewall, most say the
> general procedure is to deny any kind of traffic to your machine,
> then explicity allow only what is needed.
>
> So, with iptables, this translates to flushing all the chains,
> setting all default policies to DROP, then adding a few ACCEPT
> conditions.
>
> This makes sense to me, but in a lot of example firewalls I've seen
> floating around the 'net, they have explicit DROP rules (in addition
> to setting the default policy to DROP).  This seems redundant to
> me---if you DROP everything by default, why would you need to
> explicity set even more DROP rules?

Matt
what if you make a custem chains and for example say
accepting all incomming packets with proto TCP and 
let them go there and in the custom chain accept anything like 
ftp http ssh and so on but dont say ssh from one specific host/ip

IPT="/sbin/iptables"
$IPT -A input_tcp -p TCP -s xxx.xxx.xxx.xxx/32 --dport 22 -j DENY
$IPT -A input_tcp -p TCP -s 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p TCP -i $EXT_DEV -j input_tcp

/Regards Jörgen

Reply to:

References:
- firewall conceptual question
  - From: Matthew Garman <garman@uiuc.edu>

Prev by Date: Re: can't ping local 'net, even with no firewall
Next by Date: Re: firewall conceptual question
Previous by thread: firewall conceptual question
Next by thread: Re: firewall conceptual question
Index(es):
- Date
- Thread