Re: how to only allow tcp on dport 443 on the OUTPUT chain?

To: debian-user@lists.debian.org
Subject: Re: how to only allow tcp on dport 443 on the OUTPUT chain?
From: Virgo Pärna <virgo.parna@mail.ee>
Date: Wed, 9 Mar 2011 09:24:41 +0000 (UTC)
Message-id: <[🔎] slrninehqp.q6s.virgo.parna@dragon.gaiasoft.ee>
References: <[🔎] 12e998a57f5.7674330168128723895.-3406972399569731174@zoho.com>

On Tue, 08 Mar 2011 23:35:03 -0800, erikmccaskey64 <erikmccaskey64@zoho.com> wrote:
>
> it's a normal desktop machines iptables firewall: 
>
>
> If i want to block udp on dport 80 on the output chain, then is this enough? i want to only allow tcp on it!
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>

    Only allowed outgoing traffic is on $PUBIF inteface for tcp and udp port 80. 
On all other interfaces all outgoing traffic is blocked.

>
> or i need this rule?
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>

    Only allowed outgoing traffic is on $PUBIF interface for tcp port 80. On all 
other interfaces all outgoing traffic is blocked.

    I may be mistaken, but such hard rules could cause serious problems. I think 
that even dns name resolution would not work anymore (you cannot send out dns queries). 
Essentialy you could only browse websites on port 80 using IP numbers instead of server 
name.


-- 
Virgo Pärna 
virgo.parna@mail.ee

Reply to:

Follow-Ups:
- Re: how to only allow tcp on dport 443 on the OUTPUT chain?
  - From: Andrej Kacian <andrej+debian@kacian.sk>

References:
- how to only allow tcp on dport 443 on the OUTPUT chain?
  - From: erikmccaskey64 <erikmccaskey64@zoho.com>

Prev by Date: Re: Application shortcuts don't work in KDE4?
Next by Date: what is the “Online Certificate Status Protocol”
Previous by thread: how to only allow tcp on dport 443 on the OUTPUT chain?
Next by thread: Re: how to only allow tcp on dport 443 on the OUTPUT chain?
Index(es):
- Date
- Thread