At 5/15/2002 10:05 AM +1000, you wrote:
>You're doing this backwards. What you want is:
>
> /sbin/ipchains -P input REJECT
> /sbin/ipchains -P output REJECT
> /sbin/ipchains -P forward DENY
>
>and then a bunch of rules to ACCEPT _only_ what you expect.
>Much much safer.
Good advice. Better still is to use:
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward REJECT
People trying to get into your box will get their packets silently dropped
and receive a timeout, whily you, trying to get out, will receive an
immediate error if you've misconfigured something. This is less unpleasant
than waiting minutes for your own firewall to time you out.
Note that you should explicitly REJECT connections to port 113 from the
outside in order to avoid timeouts due to IDENT requests. For example, when
you try to send mail, some servers will send back an IDENT request on
113/tcp. If you DENY that, you'll sit there waiting for a minute while the
request times out; if you REJECT it, you'll get much quicker results.
Finally, running your script *once*, making sure your firewall is
configured how you want it, then issuing the "service ipchains save"
command, will make your configuration permanent. You do not need to rerun
the script every time from rc.local. Then, if you want to make changes, you
change your script, rerun your script, and again issue "service ipchains
save" to save your changes.
--
Rodolfo J. Paiz
[EMAIL PROTECTED]
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
