[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains firewalling question

On Thu, Sep 02, 1999 at 09:48:01AM -0300, Mario Olimpio de Menezes wrote:
> On Wed, 1 Sep 1999, Patrick Olson wrote:

> > I have the following specific questions:
> > 1. Have I made any mistakes that could cause really annoying problems?
> >    (perhaps unintentionally blocking something that shouldn't be blocked) 

> if you use dhcp for anything, you must enable source/destination for
> as well as the routes for this. This caught me some time
> ago :(

Make sure you're allowing ident connections.  Even if you don't answer
them, you want to refuse connections rather than dropping the packets.
Some systems will timeout the connection attempt.

You may also want to reject packets from IP addresses you own and from
the private IP addresses that aren't arriving on appropriate interfaces,
and anything going out of your network that doesn't have the IP address 
of the masquerading host.  The -i option is useful for this.

> > 4. Are the SMTP and POP3 ports as secure as possible while still
> >    allowing fetchmail and sendmail to work?

> maybe you could specify the source/destination for this rule.

Instead of allowing all traffic in both directions, you could allow
only the correct side of the connection to initiate a connection (look
at the -y option for this).

> > # allow outgoing SMTP
> > ipchains -A output -p 25 -j ACCEPT

For this (and POP, which I've managed to delete) you also want to accept
incoming packets.

> > # allow communication with my ISP's proxy
> > ipchains -A input  -p 3128 -j ACCEPT
> > ipchains -A output -p 3128 -j ACCEPT

Similarly, you could control who gets to connect which way.

Mark Brown  mailto:broonie@tardis.ed.ac.uk   (Trying to avoid grumpiness)
EUFS        http://www.eusa.ed.ac.uk/societies/filmsoc/

Reply to: