[olug] firewall script

mesc mescie at home.com
Wed Sep 20 17:14:32 UTC 2000


Thanks for those new rules.they were much easier to understand than that complex
script I had that link build me and best of all it worked!As far as I can tell
when I need to access the internet with a new program I just add a rule to
it...like this for irc?>>ipchains -A input -p tcp -s 0/0 6667 -d 0/0 1024: -j
ACCEPT
                                                          ipchains -A input -p udp
-s 0/0 6667 -d 0/0 1024: -j ACCEPT
I  don't know if it's right but it let IRC connect.


            Thanks again,Gary Martin

Phil Brutsche wrote:

A long time ago, in a galaxy far, far way, someone said...

>
> > I was just looking over my firewall script and was wondering if udp/tcp input
> > could be affecting my box's inability to ping my DNS??
> >
> >             Gary Martin
> >
> > mesc wrote:
> >
> > > I went to http://www.linux-firewall-tools.com/linux/firewall/index.html
> > > and had a firewall written for my box and named  it  rc.firewall and put
> > > it in /etc/rc.d.When I boot up it reads starting firewalling........
> > > then hangs until I hit ^C then the bootup process resumes normally.Once
> > > I'm booted up I can't go anywhere on the net,I get the unknown host
> > > error in netscape.I can ping my box but when I ping my domain name
> > > server I get operation not permited then  the usual ping info with 0
> > > packets recieved.Here are some parts of my firewall script to look at.If
> > > they aren't the right parts just let me know and I'll send more.
> > >
> > > # Set the default policy of the filter to deny
> > > ipchains -P input DENY
> > > ipchains -P output REJECT
> > > ipchains -P forward DENY
>
> I think you've gone a little overboard with your firewall script: you're
> denying *everything* except DNS (and maybe even that, I didn't look very
> closely at your script).
>
> With your script you might as well not have an internet connection.
>
> This would be a good script to start off with (it's some really
> stripped-down output from pmfirewall, which some people like), although it
> has some flaws:
>
> ipchains -F
> ipchains -P input DENY
> ipchains -P forward REJECT
> ipchains -A input -s 127.0.0.1 -j ACCEPT
> ipchains -A input -p tcp -s 0/0 53 -d 0/0 1024: -j ACCEPT
> ipchains -A input -p udp -s 0/0 53 -d 0/0 1024: -j ACCEPT
> ipchains -A input -p tcp -s 0/0 80 -d 0/0 1024: -j ACCEPT
> ipchains -A input -p tcp -s 0/0 443 -d 0/0 1024: -j ACCEPT
>
> An explanation: When you start a web connection, you typically connect to
> port 80 on the web server, which then makes a connection *back* to you
> from port 80.  Since ipchains doesn't have any way of knowing that the
> connection back to you is related to an already established connection,
> you have to tell it to allow anything coming from port 80.
>
> Port 443 is used by https and is subject to the same problem.  Ditto with
> DNS.
>
> Bonus points for the first guy that can make that work with iptables in
> two lines ie:
>
> iptables -P ...
> iptables -A INPUT ...
>
> :)
>
> --
> ----------------------------------------------------------------------
> Phil Brutsche                                   pbrutsch at creighton.edu
>
> "There are two things that are infinite; Human stupidity and the universe.
> And I'm not sure about the universe." - Albert Einstein
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: olug-unsubscribe at bstc.net
> For additional commands, e-mail: olug-help at bstc.net


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list