Re: Firewall-troubleshooting

To: KC <sedebian@gmail.com>
Cc: debian-firewall@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Firewall-troubleshooting
From: Steve Kemp <skx@debian.org>
Date: Sat, 2 Jul 2005 21:53:33 +0100
Message-id: <[🔎] 20050702205333.GA22457@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] 42C6FD25.20507@gmail.com>
References: <[🔎] 42C6FD25.20507@gmail.com>

On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote:

> I need help understanding what goes wrong in this script. I cannot ping
> anyone and cannot resolve as well. In fact I believe the only thing I can
> get is an ip address from my isp's dhcp server.

  There's no way I'm going to read through all of that and try to 
 understand it.

  Perhaps you'd be better off starting with a smaller firewall script
 and then adding to it as you need?

  One thing did stand out though, you don't allow outgoing connections
 generally.  These lines:

> iptables --policy OUTPUT DROP
> iptables -t nat --policy OUTPUT DROP
> iptables -t mangle --policy OUTPUT DROP

  They seem to say "no output except that which is explictly allowed".

  For a big network I too would restrict outgoing connections, but for
 a home machine with only trusted hosts?  It's an additional complication
 which doesn't gain you much.

  (Sure if you had a trojan which phoned home, or tried to compromise
 other hosts .. it would help.  But .. in general it less useful than
 it appears).

Steve
--

Reply to:

Follow-Ups:
- Re: Firewall-troubleshooting
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Firewall-troubleshooting
  - From: KC <sedebian@gmail.com>

Prev by Date: Firewall-troubleshooting
Next by Date: Re: Firewall-troubleshooting
Previous by thread: Firewall-troubleshooting
Next by thread: Re: Firewall-troubleshooting
Index(es):
- Date
- Thread