[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Firewall Stuff

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Firewall Stuff
From: Richard Lowe <nospam [at] btinternet.com>
Date: Sun, 7 Jan 2001 13:23:14 +0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: Richard Lowe <richlowe [at] rata.vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz
User-Agent: Mutt/1.3.12i

* Richard (richard [at] sheflug.co.uk) wrote:
> Dear All
> 
> I've come across a phenomenon in the world of firewall experts which
> is difficult to understand.
> 
> The bit at the top of the ipchains firewall script always start with
> some thing like this.....
> 
> #Default to allowing nothing in, everything out.
> /sbin/ipchains -P input DENY
> /sbin/ipchains -P output ACCEPT
> /sbin/ipchains -P forward DENY

Set the input chain policy to DENY, now you *nothing* can come in


> on my own network I find that input DENY blocks everything and I can't
> see web pages or download e-mail.  when I put the lines....
> 
> #unlimited traffic on the loopback interface
> ipchains -A input -i $lo -j ACCEPT
> ipchains -A output -i $lo -j ACCEPT

Traffic can move freely on the loopback interface
But nothing from outside can come in


At somepoint after this, you ACCEPT traffic from/to ports/hosts that you
want to get through.

ipchains -A input -s 0/0 80 -j ACCEPT

will allow all traffic in, with a source port of 80 for example.

> to allow access from the LAN I still can't see web pages or e-mail. 
> If I replace the "/sbin/ipchains -P input DENY" line with
> "/sbin/ipchains -P input ACCEPT" then everything works fine.  However,
> this probably disables the firewall ????  Also tried replacing $lo
> with $eth0.
> 

<snip>

> Can anyone offer any advice what to do here ?  I've read two books on
> firewalling which are Linux Firewalls by Robert Ziegler - I used to
> write to him when he was at Berkely - and building Linux and Open BSD
> Firewall by Wes Sonnerich and Tom Yates.  First one is the best. 
> However, neither of them want to help me to run a home LAN.
> 

The IPChains-HOWTO and Security-HOWTO both explain everything better
than I can, and iirc both have useful examples with a LAN in mind.

--
|*-------------------=[ Richard Lowe ]=------------------*|
| richlowe [at] btinternet.com                   UIN: 74724348 |           
|*-------------------------------------------------------*|
| Europe has the Kilogram and the Meter.                  |
| America has the Pound and the Inch.                     |
| Childrens TV has the Elephant and the Double Decker Bus |
|*-------------------------------------------------------*|
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>
- Re: [Sheflug] Firewall Stuff
  - From: "Alex Hudson" <home [at] alexhudson.com>
- Re: [Sheflug] Firewall Stuff
  - From: "Lewis Ashton" <lsa [at] supanet.com>

References:
- [Sheflug] Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>

Prev by Date: [Sheflug] Firewall Stuff
Next by Date: Re: [Sheflug] Netscape and Java ...
Prev by thread: [Sheflug] Firewall Stuff
Next by thread: [Sheflug] Re: Firewall Stuff
Index(es):
- Date
- Thread