Re: secured server policies
On 2008-10-31 daniel wrote:
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
You need TCP for fully functional DNS as well.
You should also allow some ICMP types.
[...]
> iptables -A INPUT -p tcp -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED,RELATED -j ACCEPT
What reasons are there to have --sport in the ESTABLISHED,RELATED rule?
Making rules too specific will adversely affect maintenance.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
Reply to: