Re: ipchains firewalling question

To: Mario Olimpio de Menezes <mario@curiango.ipen.br>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: ipchains firewalling question
From: Patrick Olson <compman@internetcds.com>
Date: Thu, 2 Sep 1999 10:55:56 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.990902091139.28120C-100000@picard.internetcds.com>
Reply-to: Patrick Olson <compman@internetcds.com>
In-reply-to: <[🔎] Pine.LNX.3.96.990902093527.12121B-100000@curiango.ipen.br>

> > I have the following specific questions:
> > 1. Have I made any mistakes that could cause really annoying problems?
> >    (perhaps unintentionally blocking something that shouldn't be blocked) 
> 
> if you use dhcp for anything, you must enable source/destination for
> 255.255.255.255 as well as the routes for this. This caught me some time
> ago :(

I don't think I use dhcp, but I'm not really sure about PPP.  When using
pon to get a dial-up connection to my ISP, I certainly get a dynamic IP.
Is that done with dhcp?

> > 2. Is it safe to allow all input from localhost and output to localhost
> >    as I have done?
> 
> I think that this is indeed a must for certain apps. IIRC named need it.

I kind of thought it might be necessary for something.

> > 3. Are the lines that allow ICMP the right thing to do so ping will work?
> >    (also, the HOW-TO warned about not blocking ICMP type 3).
> > 4. Are the SMTP and POP3 ports as secure as possible while still
> >    allowing fetchmail and sendmail to work?
> 
> maybe you could specify the source/destination for this rule.

I'm not sure if I should do that on the ICMP one.  I meant to do that on
the SMTP and POP3 ones, but I obviously didn't!

> > 5. Will my lines to block all communication with ads3.inet1.com work?
> >    (If I had a fast Internet connection, I wouldn't mind banner ads)
> > 6. Any other comments or suggestions?
> 
> seems to me that the syntax is wrong. ipchains syntax for setting
> destination port is --dport. -p is for protocol.

You're right, I was using port numbers as if they were protocol numbers.

Unfortunately, ipchains does not like --dport:

# ipchains -A input --dport 20 -j ACCEPT
ipchains: Unknown option `--dport'
Try `ipchains -h' for more information.

> > ipchains -A input  -p 20 -j ACCEPT
> 
> ipchains -A input --dport 20 -j ACCEPT
> or 
> ipchains -A input -p ftp-data -j ACCEPT

Looking at it again, I think -p is for protocol, and ftp-data is a
something (packet type?) that uses the TCP protocol.  I think I have to do

ipchains -A input -d 0/0 20 -j ACCEPT

> > # allow me to use fetchmail
> > ipchains -A output -p 110 -j ACCEPT

How about:

ipchains -A input  -d 0/0 110 -s pop3.isp.com 110 -j ACCEPT
ipchains -A output -s 0/0 110 -d pop3.isp.com 110 -j ACCEPT

That should allow fetchmail to work.  I don't see why my ISP would try and
initiate a pop3 or SMTP connection.

> > # allow outgoing SMTP
> > ipchains -A output -p 25 -j ACCEPT

How about:

ipchains -A input  -d 0/0 25 -s smtp.isp.com 25 -j ACCEPT
ipchains -A output -s 0/0 25 -d smtp.isp.com 25 -j ACCEPT

Thanks,
Patrick

Reply to:

Follow-Ups:
- Re: ipchains firewalling question
  - From: Mark Brown <broonie@tardis.ed.ac.uk>

References:
- Re: ipchains firewalling question
  - From: Mario Olimpio de Menezes <mario@curiango.ipen.br>

Prev by Date: Re: ipchains firewalling question
Next by Date: Y2K / contact address needed /wsb SPARC-Solaris 2.0b01
Previous by thread: Re: ipchains firewalling question
Next by thread: Re: ipchains firewalling question
Index(es):
- Date
- Thread