Hello James, Ok here goes and this is from the top of my head so please use "plug-and-prey"
create a file called /etc/rc.d/rc.firewall Edit rc.local and below fi add /etc/rc.d/rc.firewall Edit rc.firewall and add the following lines --snip-- echo Loading IPChains insmod ipchains echo Settings Vars #NICs ANY="any/0" EXT="eth0" LPB="lo" #IP Address EXTIP="192.168.0.1" #IP Ranges EXTLAN="192.168.0.0/24" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" ALLPORTS="0:65535" #Darn Rulz !!! - For some people grin echo Clearing Firewall Rulz ipchains -F echo Setting Default Rulz - Deny All ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY echo Setting IP Kernel Options and Loading Modules - If you want to depmod -a modprobe ip_masq_ftp modprobe ip_masq_raudio modprobe ip_masq_quake 26000,27000,27910,27960 echo "1" > /proc/sys/net/ipv4/ip_always_defrag echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/ip_forward echo Setting Loopback Rulz - Allow All ipchains -A input -i $LPB -j ACCEPT ipchains -A output -i $LPB -j ACCEPT #Allow your machine to send data to *ANYWHERE* on *ANY* port ipchains -A output -i $EXT -s $EXTIP -d $ANY -j ACCEPT #Allow incoming traffic ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 22 -j ACCEPT ipchains -A input -i $EXT -p tcp -s $ANY $UNPRIVPORTS -d $EXTIP 80 -j ACCEPT ipchains -A input -i $EXT -p tcp -S $ANY $UNPRIVPORTS -d $EXTIP 443 -j ACCEPT #If you want to see the traffic that makes it pass #the Firewall (denied traffic) then uncomment these #lines. #ipchains -A input -i $ANY -j DENY -l #ipchains -A output -i $ANY -j DENY -l #use tail -f /var/log/messages to check the messages #I would disable it because your logs might fill up quickly ! --snip-- to start the firewall once you on the box and havn't reboot type /etc/rc This should do what you want. Sorry I don't know the firewall-config-tool ! Cheers, Pieter De Wit -----Original Message----- From: James Pifer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 02, 2002 2:51 PM To: [EMAIL PROTECTED] Subject: firewall-config tool Is anyone familar with the firewall-config tool that comes installed with 7.2? I have a system that I need to put on the internet so obviously I need to lock it down. I only want the following incoming ports open: 22, 80, and 443. When on the machine, either on the console or through an x-session, I want it to have no restrictions going out. I've shut all the services down that I could, but I'd still like to lock it down as an extra safety measure. It's not a firewall and has only one NIC. I'm trying to use the firewall-config tool to configure it, but it doesn't look right to me when I do ipchains -L. I'd be happy to send screen shots of the firewall-config settings directly to anyone if that will help. I'm also not sure what options I should use on the Options tab. Here's the ipchains -L output: [root]# ipchains -L Chain input (policy ACCEPT): target prot opt source destination ports icmp icmp ------ anywhere anywhere any -> any ACCEPT tcp ------ anywhere anywhere any -> any ACCEPT udp ------ anywhere anywhere any -> any ACCEPT tcp ------ anywhere anywhere ssh -> ssh ACCEPT udp ------ anywhere anywhere ssh -> ssh ACCEPT tcp ------ anywhere anywhere http -> http ACCEPT udp ------ anywhere anywhere http -> http ACCEPT tcp ------ anywhere anywhere https -> https ACCEPT udp ------ anywhere anywhere https -> https REJECT tcp ------ anywhere anywhere any -> any REJECT udp ------ anywhere anywhere any -> any Chain forward (policy DENY): Chain output (policy ACCEPT): Chain icmp (1 references): target prot opt source destination ports ACCEPT icmp ------ anywhere anywhere destination-unreachable ACCEPT icmp ------ anywhere anywhere source-quench ACCEPT icmp ------ anywhere anywhere time-exceeded ACCEPT icmp ------ anywhere anywhere parameter-problem ACCEPT icmp ------ anywhere anywhere echo-request ACCEPT icmp ------ anywhere anywhere echo-reply DENY all ------ anywhere anywhere n/a [root]# My first rule is that I allow 192.168.1.8(the current Ip address of the machine itself) to go anywhere. Eventually this will get changed to a real internet address. Instead of listing the ip address I entered, ipchains -L has "any" for the source. It looks wide open to me based on the second and third rule listed. Any help on this is greatly appreciated. James _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
