[Sheflug] Firewall Stuff

[Richard <nospam [at] sheflug.co.uk>]

Dear All

I've come across a phenomenon in the world of firewall experts which
is difficult to understand.

The bit at the top of the ipchains firewall script always start with
some thing like this.....

#Default to allowing nothing in, everything out.
/sbin/ipchains -P input DENY
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY

on my own network I find that input DENY blocks everything and I can't
see web pages or download e-mail.  when I put the lines....

#unlimited traffic on the loopback interface
ipchains -A input -i $lo -j ACCEPT
ipchains -A output -i $lo -j ACCEPT

to allow access from the LAN I still can't see web pages or e-mail. 
If I replace the "/sbin/ipchains -P input DENY" line with
"/sbin/ipchains -P input ACCEPT" then everything works fine.  However,
this probably disables the firewall ????  Also tried replacing $lo
with $eth0.

I've also tried...

/sbin/ipchains -P input  ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY

that works..... and.....

/sbin/ipchains -P input   DENY
/sbin/ipchains -P output  REJECT
/sbin/ipchains -P forward REJECT

which also stops the internal network completely.

I've checked inetd.conf  hosts.allow  and hosts.deny.  All looks well
in there.

Can anyone offer any advice what to do here ?  I've read two books on
firewalling which are Linux Firewalls by Robert Ziegler - I used to
write to him when he was at Berkely - and building Linux and Open BSD
Firewall by Wes Sonnerich and Tom Yates.  First one is the best. 
However, neither of them want to help me to run a home LAN.

Thanks

-- 
Richard

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.