On Fri, Apr 20, 2007 at 11:41:28PM -0400, Jim Hyslop wrote: > > You have defined ethLRZ, haven't you ? > > I have no idea. I just entered the rules as found in the blog. I assumed > 'LRZ' was simply a place-holder for the actual interface number, as the > iptables man page examples use '-i eth0' and not '-i ethLRZ'. > I just googled ethLRZ, and other than the original blog and this thread, > found nothing. The man page doesn't mention it either. So, what is it, > and how do I know if it's defined? > This is the name of your interface connected to Internet. I suppose ethLRZ was a variable containing the name of this interface. You should replace it by the one you use. > > You may have forgotten to set your default policy. According to what you > > wrote, your default policy is ACCEPT for INPUT, FORWARD, and OUTPUT > > chains. This is not safe, since you accept all incoming and outgoing > > traffic. > > Well, I hope I don't sound cavalier about this, but until I added the > above rules, I wasn't even running iptables. The machine is behind a > hardware firewall, on a home network. I do not know anything about hardware firewall, but I think it is not a bad point to set up a firewall on your machine, as well. > Only the ssh port is open on the > firewall. The ssh daemon is configured only to accept public key > authentication. What else can I do on the input side? > On the output side, I really can't think of any rules that would make > sense. What IP addresses would I block access to? > > The machine isn't configured to forward anything, so that's not (or > shouldn't be) an issue. I do not think the same way you do. If you are not running any servers, except ssh, why other ports should be opened for *NEW* incoming traffic ? I control traffic for the OUTPUT chain to prevent some backdoors, if there is one, from causing damages to my computer by bypassing normal authentication. If you want to read more about iptables : http://iptables-tutorial.frozentux.net/iptables-tutorial.html -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: Digital signature