Hello all. I got DSL about a month ago and with all the recent threads about people being cracked, I'm starting to get worried that my firewall might not be very good. I have a RHL 7.2 machine which I will upgrade to 7.3 as soon as I can find a server to download it from that's fast enough. I'm using ipchains.
Basically I run a script to implement my firewall from /etc/rc.d/rc.local that's the same as the one that comes with rp-pppoe. This box is my gateway, by the way. Here is the script: [START OF SCRIPT] #!/bin/bash #flush all previous rules /sbin/ipchains -F #modify chains /sbin/ipchains -P input ACCEPT /sbin/ipchains -P output ACCEPT /sbin/ipchains -P forward DENY #deny TCP connection attempts /sbin/ipchains -A input -l -i ppp+ -p tcp -y -j DENY #deny TCP and UDP packets to privileged ports (1-1023) /sbin/ipchains -A input -l -i ppp+ -d 0/0 0:1023 -p udp -j DENY /sbin/ipchains -A input -l -i ppp+ -d 0/0 0:1023 -p tcp -j DENY #deny ICMP echo-requests (pings) /sbin/ipchains -A input -l -i ppp+ -s 0/0 echo-request -p icmp -j DENY #masquerading /sbin/ipchains -A forward -j MASQ echo 1 > /proc/sys/net/ipv4/ip_forward #save configuration service ipchains save [END OF SCRIPT] As I see, this script doesn't allow people on the outside to use services like telnet and ftp (which I have running for the internal network) on my box. Does it do that well or should I add some more rules to it? I want to only allow traffic for the web, SMTP, POP3, ftp, AIM, battle.net, etc, and nothing else, but I'm wondering if you go through the same ports on the client as you do on the server for these things. For example, when you go to a web site, you usually access port 80 on the server, but does it also go through port 80 on the client? If so, how would I implement rules that only allow traffic through those ports? Should I also block connection attempts through UDP and IPX? I hope these questions aren't very stupid because I havn't found the documentation for ipchains to be that great, and especially for iptables, which I'd like to switch to. If there are any great web sites with examples of what I'm trying to achieve here, please send an URL. Are there any other things I should add to my firewall to make it better? Thanks to all who reply in advance. ===== +----------------------------------------------------------+ |This message is from Serban Giuroiu, also known online | |as The Gyzmo. | | | |EMAIL: g y z m o b r o @ y a h o o . com | |AIM Screen Name: gyzmobro | +----------------------------------------------------------+ "Code Smarter, Not Harder" __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
