Re: ipchains firewalling question
> > I have the following specific questions:
> > 1. Have I made any mistakes that could cause really annoying problems?
> > (perhaps unintentionally blocking something that shouldn't be blocked)
> if you use dhcp for anything, you must enable source/destination for
> 255.255.255.255 as well as the routes for this. This caught me some time
> ago :(
I don't think I use dhcp, but I'm not really sure about PPP. When using
pon to get a dial-up connection to my ISP, I certainly get a dynamic IP.
Is that done with dhcp?
> > 2. Is it safe to allow all input from localhost and output to localhost
> > as I have done?
> I think that this is indeed a must for certain apps. IIRC named need it.
I kind of thought it might be necessary for something.
> > 3. Are the lines that allow ICMP the right thing to do so ping will work?
> > (also, the HOW-TO warned about not blocking ICMP type 3).
> > 4. Are the SMTP and POP3 ports as secure as possible while still
> > allowing fetchmail and sendmail to work?
> maybe you could specify the source/destination for this rule.
I'm not sure if I should do that on the ICMP one. I meant to do that on
the SMTP and POP3 ones, but I obviously didn't!
> > 5. Will my lines to block all communication with ads3.inet1.com work?
> > (If I had a fast Internet connection, I wouldn't mind banner ads)
> > 6. Any other comments or suggestions?
> seems to me that the syntax is wrong. ipchains syntax for setting
> destination port is --dport. -p is for protocol.
You're right, I was using port numbers as if they were protocol numbers.
Unfortunately, ipchains does not like --dport:
# ipchains -A input --dport 20 -j ACCEPT
ipchains: Unknown option `--dport'
Try `ipchains -h' for more information.
> > ipchains -A input -p 20 -j ACCEPT
> ipchains -A input --dport 20 -j ACCEPT
> ipchains -A input -p ftp-data -j ACCEPT
Looking at it again, I think -p is for protocol, and ftp-data is a
something (packet type?) that uses the TCP protocol. I think I have to do
ipchains -A input -d 0/0 20 -j ACCEPT
> > # allow me to use fetchmail
> > ipchains -A output -p 110 -j ACCEPT
ipchains -A input -d 0/0 110 -s pop3.isp.com 110 -j ACCEPT
ipchains -A output -s 0/0 110 -d pop3.isp.com 110 -j ACCEPT
That should allow fetchmail to work. I don't see why my ISP would try and
initiate a pop3 or SMTP connection.
> > # allow outgoing SMTP
> > ipchains -A output -p 25 -j ACCEPT
ipchains -A input -d 0/0 25 -s smtp.isp.com 25 -j ACCEPT
ipchains -A output -s 0/0 25 -d smtp.isp.com 25 -j ACCEPT