On Wed, May 15, 2002 at 10:05:08AM +1000, Cameron Simpson wrote: > On 16:28 14 May 2002, The Gyzmo <[EMAIL PROTECTED]> wrote: > | #modify chains > | /sbin/ipchains -P input ACCEPT > | /sbin/ipchains -P output ACCEPT > | /sbin/ipchains -P forward DENY > | > | #deny TCP connection attempts > | /sbin/ipchains -A input -l -i ppp+ -p tcp -y -j DENY > > You're doing this backwards. What you want is: > > /sbin/ipchains -P input REJECT > /sbin/ipchains -P output REJECT > /sbin/ipchains -P forward DENY > > and then a bunch of rules to ACCEPT _only_ what you expect. > Much much safer.
Other suggestions: Make sure all services you don't need are definitely off. If any services are LAN only, run on the internal interface only. xinetd is good for this kind of thing. Make sure all packages have errata updates applied as they are released. If you can't do them all, do them for any network related services at a minimum. Iptables is better. Especially for implementing the default DROP policy (less monkey business with rules on allowing minimum level of traffic and tighter control all the way around). -- Hal Burgiss _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
