Re: iptables blocking rules
On Wed, Jan 14, 2004 at 08:15:34AM +0100, Matthias Hentges wrote:
> Hello David,
> Am Die, 2004-01-13 um 23.24 schrieb David:
> [...]
> > Actually, the whole ruleset from firestarter seems a bit complex for my
> > setup. Wouldn't it be pretty sufficient for a single-system setup to
> > have something basically like this:
> >
> > set policy for INPUT & FORWARD to DROP ( leave OUTPUT to ACCEPT?)
> > set INPUT ESTABLISHED,RELATED to ACCEPT
> > < add some logging facilities >
> > < allow some icmp requests, maybe? >
>
> It is considered "good behavior" to at least allow ICMP pings.
> Normally one can do a -p ICMP -j ACCEPT.
Right now, I am allowing at least _some_ of these.
> > Wouldn't that pretty well take care of it?
>
> For simple setups this indeed is enough since no unrequested
> (unrelated,unestablished) connections can be made from the outside.
>
> Setting FORWARD to DROP is kinda overkill IMO since INPUT is already
> blocking everything. No need to add special rules there.
>
> Just make sure that you include the device you want to filter
> (ie. -i eth0 for cable or -i ppp0 for dialup/DSL). This will make sure
> that legitimate connections from your LAN (and of course lo) will be
> allowed.
Yes. My system is dialup. The way firestarter set it up was that the
firewall was not active until a connection was made. The firewall
script was run from /etc/ppp/ip-up.d/ . The -i stuff was my IP address
that was assigned to me on logon, found through "ifconfig". I changed
-i to ppp0 and set up the firewall at bootup.
I may do a bit of changing, maybe even eliminating the firestarter
stuff - just using the script that it generated. Instead of calling
up the script directly, it runs its own program,
"firestarter". I don't know what all it does, but it looks like simply
calling the script directly would be enough.
Thanks for the reply. You've reassured me somewhat that I _can_ delete
at least the rules I was questioning.
Reply to: