Re: 2 ipchains questions
hi andrew...
imap connections will not timeout if you check for new mail
regularly...
for more ipchain/iptables examples and howtos..
c ya
alvin
http://www.Linux-Sec.net ... security stuff ..
On Sun, 27 May 2001, Andrew Perrin wrote:
> Thanks for all this. The reason I'd like the masqueraded connections never
> to time out is that I'd like machines on my private network to be able to
> maintain connections indefinitely - specifically, IMAP connections. I'd
> like to be able to leave an IMAP client running on a machine and not get
> TCP/IP Port Reset errors on it.
>
> Andy
>
> ----------------------------------------------------------------------
> Andrew J Perrin - andrew_perrin@unc.edu - http://www.unc.edu/~aperrin
> Asst Professor of Sociology, U of North Carolina, Chapel Hill
> 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA
>
>
> On Mon, 28 May 2001, Tobias Galitzien wrote:
>
> > Do something like:
> >
> > # for initialisation - deny everything that will not be allowed later...
> >
> > ipchains -P input DENY
> > ipchains -P forward DENY
> > ipchains -P output DENY
> > ipchains -F
> >
> > # allow local things
> >
> > ipchains -A input -j ACCEPT -i lo
> > ipchains -A output -j ACCEPT -i lo
> >
> > # allow SSH connections from eth1 (and reply packets)
> >
> > ipchains -A input -j ACCEPT -p tcp -i eth1 -s 0.0.0.0/0 1024: -d <IP of eth1> 22
> > ipchains -A output -j ACCEPT -p tcp -i eth1 -d 0.0.0.0/0 1024: -s <IP of eth1> 22
> >
> > AFAIR you don't have to worry about response packets from masqueraded
> > connections. They will bypass the input and output chains.
> >
> > For the timeout of masquerading see the -S option of ipchains. I think it is
> > not the best idea to make connections never time out (quite sure it is not
> > even possible) because you will eventually run out of port numbers. Just set
> > it to a reasonable high value - like one hour - don't know what the max is.
> >
Reply to: