Re: ipchains question
At 10:53 PM 5/9/00 +0100, you wrote:
>"Eric Gillespie, Jr." <epg@pobox.com> wrote:
>>I'd like to set up ipchains so that no on can connect to my
>>dialup computer at all except for identd (for IRC). I read the
>>Firewall and IPCHAINS howtos, as well as the ipchains man page,
>>and it looks like the following lines should do what i want:
>>
>>ipchains -P input DENY
>>ipchains -I input -p all -s localhost -j ACCEPT
>>ipchains -I input -p icmp -j ACCEPT
>>ipchains -I input -p tcp --dport 113 -j ACCEPT
>>
>>Unfortunately, they don't.
>
>The person who said that connections are bi-directional was correct, but
>not in saying that you need a complementary output rule for everything
>(that'll just make it worse ...). You should look at the -y (or --syn)
>option to ipchains, which will allow you to control the packets that
>*initiate* connections, then just let all non-SYN TCP packets through.
>
>You might need to allow UDP (or certain bits of it) through too,
>depending on what you're doing; for instance, a caching nameserver will
>want to talk UDP.
Shouldn't the lines denied by input be specific foe the ppp0 interface (or
whatever it's labeled on his machine)? It was my impression that input
stood for All input to ipchains, including local. If a general statement
is made in the first line, one never gets to the second...
Of course, I'm at work (WinDoze) so can't immediately chack the -P
option... does that affect only outside input?
Kenward
----------------------------------------------------
.'^~;,_
Dr. Kenward Vaughan ':,^'````
Professor of Chemistry \;:/
Bakersfield College |,;|
Bakersfield, CA 93305 / ', \
/ o O \
kvaughan@bc.cc.ca.us (oOoOOoOo)
---========---
???$$MM$$???
----------------------------------------------------
Reply to: