Re: firewalling (ipchains) question

To: Peter Palfrader aka Weasel <palfrader@writeme.com>
Cc: debian-user@lists.debian.org, debian-firewall@lists.debian.org
Subject: Re: firewalling (ipchains) question
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Sat, 14 Aug 1999 03:54:59 +0200
Message-id: <[🔎] 19990814035459.A31983@calista.inka.de>
In-reply-to: <[🔎] 19990814005620.A5098@marvin>; from Peter Palfrader aka Weasel on Sat, Aug 14, 1999 at 12:56:20AM +0200
References: <[🔎] 19990814005620.A5098@marvin>

On Sat, Aug 14, 1999 at 12:56:20AM +0200, Peter Palfrader aka Weasel wrote:
> ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
> ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0

You can restrict this to 127/8 and all local addresses. In Addition to that
you should DENY all incomming packages originating fropm one of your local
addresses.

> ipchains -A output -j ACCEPT -p tcp -s marvin 1024:65535 -d laus 1024:65535 ! -y

This above rule allows packages belonging to established connections in all
ports, makes no sense.

> ipchains -A output -j ACCEPT -p tcp -s marvin 1024:65535 -d laus smtp 
> 
> ipchains -A input -j ACCEPT -p tcp -s laus 1024:65535 -d marvin 1024:65535 ! -y

the above rule makes no sense

> ipchains -A input -j ACCEPT -p tcp -s laus smtp -d marvin 1024:65535 ! -y

thas fine, should work.

> is this correct, did I miss something? 
> anything wich might need improvement? 
> and why does this not work with ssh? (if I substitute smtp with ssh)

ssh is usig a priveledged source port as long as you dont give "-P" as an
option to ssh.

Greetings
Bernd

Reply to:

References:
- firewalling (ipchains) question
  - From: Peter Palfrader aka Weasel <palfrader@writeme.com>

Prev by Date: Soundcard Installation Problem
Next by Date: Re: Problems with Mutt and Exim
Previous by thread: firewalling (ipchains) question
Next by thread: How to put parport before printer at boot?
Index(es):
- Date
- Thread