[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ipchains firewalling question

> > I have the following specific questions:
> > 1. Have I made any mistakes that could cause really annoying problems?
> >    (perhaps unintentionally blocking something that shouldn't be blocked) 
> if you use dhcp for anything, you must enable source/destination for
> as well as the routes for this. This caught me some time
> ago :(

I don't think I use dhcp, but I'm not really sure about PPP.  When using
pon to get a dial-up connection to my ISP, I certainly get a dynamic IP.
Is that done with dhcp?

> > 2. Is it safe to allow all input from localhost and output to localhost
> >    as I have done?
> I think that this is indeed a must for certain apps. IIRC named need it.

I kind of thought it might be necessary for something.

> > 3. Are the lines that allow ICMP the right thing to do so ping will work?
> >    (also, the HOW-TO warned about not blocking ICMP type 3).
> > 4. Are the SMTP and POP3 ports as secure as possible while still
> >    allowing fetchmail and sendmail to work?
> maybe you could specify the source/destination for this rule.

I'm not sure if I should do that on the ICMP one.  I meant to do that on
the SMTP and POP3 ones, but I obviously didn't!

> > 5. Will my lines to block all communication with ads3.inet1.com work?
> >    (If I had a fast Internet connection, I wouldn't mind banner ads)
> > 6. Any other comments or suggestions?
> seems to me that the syntax is wrong. ipchains syntax for setting
> destination port is --dport. -p is for protocol.

You're right, I was using port numbers as if they were protocol numbers.

Unfortunately, ipchains does not like --dport:

# ipchains -A input --dport 20 -j ACCEPT
ipchains: Unknown option `--dport'
Try `ipchains -h' for more information.

> > ipchains -A input  -p 20 -j ACCEPT
> ipchains -A input --dport 20 -j ACCEPT
> or 
> ipchains -A input -p ftp-data -j ACCEPT

Looking at it again, I think -p is for protocol, and ftp-data is a
something (packet type?) that uses the TCP protocol.  I think I have to do

ipchains -A input -d 0/0 20 -j ACCEPT

> > # allow me to use fetchmail
> > ipchains -A output -p 110 -j ACCEPT

How about:

ipchains -A input  -d 0/0 110 -s pop3.isp.com 110 -j ACCEPT
ipchains -A output -s 0/0 110 -d pop3.isp.com 110 -j ACCEPT

That should allow fetchmail to work.  I don't see why my ISP would try and
initiate a pop3 or SMTP connection.

> > # allow outgoing SMTP
> > ipchains -A output -p 25 -j ACCEPT

How about:

ipchains -A input  -d 0/0 25 -s smtp.isp.com 25 -j ACCEPT
ipchains -A output -s 0/0 25 -d smtp.isp.com 25 -j ACCEPT


Reply to: