Re: ipchains question
kvaughan@bc.cc.ca.us wrote:
>At 10:53 PM 5/9/00 +0100, you wrote:
>>"Eric Gillespie, Jr." <epg@pobox.com> wrote:
>>>ipchains -P input DENY
>>>ipchains -I input -p all -s localhost -j ACCEPT
>>>ipchains -I input -p icmp -j ACCEPT
>>>ipchains -I input -p tcp --dport 113 -j ACCEPT
>>
>>The person who said that connections are bi-directional was correct, but
>>not in saying that you need a complementary output rule for everything
>>(that'll just make it worse ...). You should look at the -y (or --syn)
>>option to ipchains, which will allow you to control the packets that
>>*initiate* connections, then just let all non-SYN TCP packets through.
>>
>>You might need to allow UDP (or certain bits of it) through too,
>>depending on what you're doing; for instance, a caching nameserver will
>>want to talk UDP.
>
>Shouldn't the lines denied by input be specific foe the ppp0 interface (or
>whatever it's labeled on his machine)? It was my impression that input
>stood for All input to ipchains, including local. If a general statement
>is made in the first line, one never gets to the second...
Well, that's true in general, but the first line above is just setting
the default policy, so imagine it as the last line and you'll be closer
to the truth. The second line then sets a catch-all rule for all local
input - in fact, the '-p all' is redundant.
If you wanted to be clear then you could put in '-i ppp0' or whatever in
each of the subsequent rules, but it's not really necessary (how much of
a slowdown would that cause, if any?); I'd leave it off. To make sure
people can't spoof localhost, though, it might be worth turning on TCP
syncookies if you aren't doing so already.
--
Colin Watson [cjw44@flatline.org.uk]
Reply to: