[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Firewall Stuff

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Re: Firewall Stuff
From: Barrie Bremner <nospam [at] ecosse.net>
Date: Sun, 07 Jan 2001 16:37:41 +0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: baz [at] rata.vuw.ac.nz
Sender: sheflug-bounce [at] vuw.ac.nz

Richard wrote:
> 
> Alex
> 
> Alex Hudson wrote:
> 
> > cat /etc/services | grep 'thing-to-search-for'
> >
> > i.e., www, ftp, ssh, etc...
> >
> > > ipchains -A input -s 0/0 3128 -j accept
> 
> I've been able to get the internal LAN to ping itself with the
> firewall running and connected to my ISP.  Couldn't do that before.
> But, pinging my ISP reveals that there's nothing there.  Tried lots
> of.....
> 
> ipchains -A input -s 0/0 80 -j accept
> 
> also on ports 110, 25 and 21 which is ftp and still can't get through
> to my ISP after that. Also tried port 53 in the hope that might work.
> Nothing.  If I change the bit at the top of the file to ACCEPT from
> DENY it works fine but I can't see that the firewall will work in the
> way that it should if I do that.

 Have you looked at the ipchains howto? It's pretty good.

Just saying 

   ipchains -P input DENY or ipchains -P input REJECT

will drop everything going into the firewall box.

That is the policy that is being set - i.e. the firewall falls back on
that if you don't have a rule in place to tell it what to do.

   ipchains -A input -s 0.0.0.0/0 80 -j ACCEPT

tells the firewall box to accept all traffic (TCP and UDP and probably
ping traffic too!) coming from anywhere on port 80.
As it stands, your firewall will then fall back on the default policy
for the input chain for everything else - and deny it.

Changing the policy to ACCEPT (ipchains -P input ACCEPT) means that the
firewall will accept any connections not specifically blocked by a rule,
hence why everything works when you do that - you currently aren't
blocking anything.

I can email you my firewall config if you like, with a few notes. Some
of it is taken straight from the howto, other stuff isn't.
My config is fairly straightforward - deny most stuff, do the IP
masquarading, and basically leave it at that.

 Baz.

--
Barrie J. Bremner

TheEnglishman [at] ecosse.net | OpenPGP public key ID: 5164F553
	    http://www.geocities.com/thefatenglishman
	    [Contact information available at website]

   "Linux? Is that some kind of MacOS?"
      -- BT technical support
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Re: Firewall Stuff
  - From: "Alex Hudson" <home [at] alexhudson.com>

References:
- [Sheflug] Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>
- Re: [Sheflug] Firewall Stuff
  - From: Richard Lowe <richlowe [at] btinternet.com>
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>
- Re: [Sheflug] Re: Firewall Stuff
  - From: "Alex Hudson" <home [at] alexhudson.com>
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>

Prev by Date: Re: [Sheflug] Re: Firewall Stuff
Next by Date: [Sheflug] Re: Firewall Stuff
Prev by thread: [Sheflug] Re: Firewall Stuff
Next by thread: Re: [Sheflug] Re: Firewall Stuff
Index(es):
- Date
- Thread