[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPChains help

"Eugene van Zyl" <evz@streetcar.com> writes:

> What's wrong with the following ruleset that I can't do any DNS
> lookups from the firewallhost ?

Maybe this is just for testing purposes, but the "best practices" say
to DENY by policy and then allow the stuff you want.

> $IPCHAINS -A input -s $Any -d $localnet -j DENY

really with your policy you have setup above, this is the only rule
that means anything.  All the others are just confirming policy.

I highly recommend _Linux Firewalls_ by Robert L. Zeigler (New Riders
press).  This book has saved my kiester several times.  Here's his
recommendation for dns client to server based on a DENY everything

ipchains -A output -i $ext_interface -p udp -s $your_ip_address
$unprivaleged_ports -d $nameserver_ip 53 -j ACCEPT

ipchains -A input -i $external_interface -p udp -s $nameserver_ip 53
-d $your_ip_address $unprivaleged_ports -j ACCEPT
(__) Doug Alcorn <doug@lathi.net> http://www.lathi.net AIM:lathinet
oo / PGP 02B3 1E26 BCF2 9AAF 93F1  61D7 450C B264 3E63 D543
|_/  If you're a capitalist and you have the best goods and they're
     free, you don't have to proselytize, you just have to wait.

Reply to: