Re: [Sheflug] Firewall Stuff

["Alex Hudson" <nospam [at] alexhudson.com>]

> > #Default to allowing nothing in, everything out.
> > /sbin/ipchains -P input DENY
> > /sbin/ipchains -P output ACCEPT
> > /sbin/ipchains -P forward DENY
>
> Set the input chain policy to DENY, now you *nothing* can come in
> > #unlimited traffic on the loopback interface
> > ipchains -A input -i $lo -j ACCEPT
> > ipchains -A output -i $lo -j ACCEPT
>
> Traffic can move freely on the loopback interface
> But nothing from outside can come in

To be honest, on a dial up security isn't that much of a problem. I'd do a
policy accept, and reject all syn packets on the ippp0 interface ('cept
maybe ftp, but that's not strictly necessary ;).

ipchains -A input -s 0/0 -i ippp0 ! -y -j ACCEPT

. I think?

You may also want to stop private ips going out, i.e.

ipchains -A output -s 192.168.0.0/24 -d 0/0 -i ippp0 -j DENY

but your isp will munch it anyway, so not strictly necessary...

Cheers,

Alex.

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.