Re: ipchains firewalling question
On Thu, Sep 02, 1999 at 09:48:01AM -0300, Mario Olimpio de Menezes wrote:
> On Wed, 1 Sep 1999, Patrick Olson wrote:
> > I have the following specific questions:
> > 1. Have I made any mistakes that could cause really annoying problems?
> > (perhaps unintentionally blocking something that shouldn't be blocked)
> if you use dhcp for anything, you must enable source/destination for
> 255.255.255.255 as well as the routes for this. This caught me some time
> ago :(
Make sure you're allowing ident connections. Even if you don't answer
them, you want to refuse connections rather than dropping the packets.
Some systems will timeout the connection attempt.
You may also want to reject packets from IP addresses you own and from
the private IP addresses that aren't arriving on appropriate interfaces,
and anything going out of your network that doesn't have the IP address
of the masquerading host. The -i option is useful for this.
> > 4. Are the SMTP and POP3 ports as secure as possible while still
> > allowing fetchmail and sendmail to work?
> maybe you could specify the source/destination for this rule.
Instead of allowing all traffic in both directions, you could allow
only the correct side of the connection to initiate a connection (look
at the -y option for this).
> > # allow outgoing SMTP
> > ipchains -A output -p 25 -j ACCEPT
For this (and POP, which I've managed to delete) you also want to accept
> > # allow communication with my ISP's proxy
> > ipchains -A input -p 3128 -j ACCEPT
> > ipchains -A output -p 3128 -j ACCEPT
Similarly, you could control who gets to connect which way.
Mark Brown mailto:email@example.com (Trying to avoid grumpiness)