On Wed, Jan 14, 2004 at 08:15:34AM +0100, Matthias Hentges wrote: > Hello David, > Am Die, 2004-01-13 um 23.24 schrieb David:
> [...] > > Actually, the whole ruleset from firestarter seems a bit complex for my > > setup. Wouldn't it be pretty sufficient for a single-system setup to > > have something basically like this: > > > > set policy for INPUT & FORWARD to DROP ( leave OUTPUT to ACCEPT?) > > set INPUT ESTABLISHED,RELATED to ACCEPT > > < add some logging facilities > > > < allow some icmp requests, maybe? > > > It is considered "good behavior" to at least allow ICMP pings. > Normally one can do a -p ICMP -j ACCEPT. Right now, I am allowing at least _some_ of these. > > Wouldn't that pretty well take care of it? > > For simple setups this indeed is enough since no unrequested > (unrelated,unestablished) connections can be made from the outside. > > Setting FORWARD to DROP is kinda overkill IMO since INPUT is already > blocking everything. No need to add special rules there. > > Just make sure that you include the device you want to filter > (ie. -i eth0 for cable or -i ppp0 for dialup/DSL). This will make sure > that legitimate connections from your LAN (and of course lo) will be > allowed. Yes. My system is dialup. The way firestarter set it up was that the firewall was not active until a connection was made. The firewall script was run from /etc/ppp/ip-up.d/ . The -i stuff was my IP address that was assigned to me on logon, found through "ifconfig". I changed -i to ppp0 and set up the firewall at bootup. I may do a bit of changing, maybe even eliminating the firestarter stuff - just using the script that it generated. Instead of calling up the script directly, it runs its own program, "firestarter". I don't know what all it does, but it looks like simply calling the script directly would be enough. Thanks for the reply. You've reassured me somewhat that I _can_ delete at least the rules I was questioning. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
