[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question about ipchains

On Mon, Mar 26, 2001 at 04:27:00PM -0900, Ethan Benson wrote:
> On Mon, Mar 26, 2001 at 08:01:34PM +0200, Alson van der Meulen wrote:
> 
> > It accepts all other traffic to non-privileged ports. i prefer to
> > allow traffic without the syn flag (not initiating a new connection)
> > only, not all misc traffic, it's more secure, the way to do it is
> > like:
> > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT
> > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT
this line is wrong indeed, for udp, remove the ! -y option
> > 
> 
> unfortuantly this breaks irc, ftp and many other things.  
ftp: use passive ftp, active ftp isn't secure with ipchains,
netfilter can handle it better

for irc: i never had problems with it, just accept ident lookups and
all outgoing stuff

protocols that require incoming connections are lame anyway

-- 
,-------------------------------------------.
> Name:           Alson van der Meulen      <
> Personal:       alson@linuxfreak.nl       <
> School:       alson@gymnasiumleiden.nl    <
`-------------------------------------------'
Do you really need your home directory to do any work?
---------------------------------------------
Reply to: