Hello David, Am Die, 2004-01-13 um 23.24 schrieb David:
[...] > Actually, the whole ruleset from firestarter seems a bit complex for my > setup. Wouldn't it be pretty sufficient for a single-system setup to > have something basically like this: > > set policy for INPUT & FORWARD to DROP ( leave OUTPUT to ACCEPT?) > set INPUT ESTABLISHED,RELATED to ACCEPT > < add some logging facilities > > < allow some icmp requests, maybe? > It is considered "good behavior" to at least allow ICMP pings. Normally one can do a -p ICMP -j ACCEPT. > Wouldn't that pretty well take care of it? For simple setups this indeed is enough since no unrequested (unrelated,unestablished) connections can be made from the outside. Setting FORWARD to DROP is kinda overkill IMO since INPUT is already blocking everything. No need to add special rules there. Just make sure that you include the device you want to filter (ie. -i eth0 for cable or -i ppp0 for dialup/DSL). This will make sure that legitimate connections from your LAN (and of course lo) will be allowed. You can test your firewall on these sites: https://grc.com/x/ne.dll?bh0bkyd2 http://www.dslreports.com/scan HTH -- Matthias Hentges Cologne / Germany [www.hentges.net] -> PGP welcome, HTML tolerated ICQ: 97 26 97 4 -> No files, no URL's My OS: Debian Woody. Geek by Nature, Linux by Choice -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
