Re: How secure am I?
The problem with editing inetd.conf is that I don't know if I'll break
something I need like samba.
I have a set of firewall rules I knocked up from
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-6.html#Strong-IPFWADM-Rule
sets
:input REJECT
:forward DENY
:output REJECT
-A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
-A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
REJECT -l
-A input -s 0.0.0.0/0.0.0.0 -d 217.35.25.225/255.255.255.255 -i ppp0 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
-A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i ppp0 -j
REJECT -l
-A output -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
REJECT -l
-A output -s 217.35.25.225/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j
ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j REJECT -l
It uses a rather clever command extip="`/sbin/ifconfig ppp0 | grep 'inet
addr' | awk '{print $2}' | sed -e 's/.*://'`" to get the external interface.
Not sure how it'll handle a disconnect - reconnect - accept new dynamic IP
number situation.
Reply to: