RE: Firewalls, ipchains, help requested

Date view Thread view Subject view Author view

From: Jeff Barr (jeff@vertexdev.com)
Date: Fri May 18 2001 - 06:41:38 PDT


You may want to try something like Firestarter
(http://firestarter.sourceforge.net/). It is a visual rule editor
and traffic monitor. If you see some traffic that you do not like
you can just right-click on it to create a rule which block it.

Jeff;

PS - You are a brave man to post your rules in public like this.

-----Original Message-----
From: Robert Harley [mailto:Robert.Harley@inria.fr]
Sent: Friday, May 18, 2001 5:50 AM
To: fork@xent.ics.uci.edu
Subject: Firewalls, ipchains, help requested

Are any FoRKers intimate with the details of ipchains?

I've got RedHat 7.1 with all updates on an IBM xSeries 220 connected
via PPPoE over an ADSL network terminator (Alcatel Speed Touch Home).

I want to do normal stuff like web surfing, telnet outwards... and
serve Web pages with Apache at: http://217.11.171.36/

How to keep the huns out?

I browsed around for ipchains rulesets and found a lot of junk but
some OK-looking stuff which I tweaked slightly. A little bit of
knowledge is a dangerous thing...

Any devastatingly screwups in the following?

============================================================================
==
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT all ------ 127.0.0.1 127.0.0.1 n/a
TCP_IN tcp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
UDP_IN udp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
ICMP_IN icmp ------ 0.0.0.0/0 0.0.0.0/0 * -> *
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY):
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 3 -> *
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 8 -> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
ACCEPT tcp ------ 217.11.171.36 0.0.0.0/0 80 -> 1023:65535
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 0:1023 -> *
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain ICMP_IN (1 references):
target prot opt source destination ports
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 0 -> *
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 3:4 -> *
PRIVATE icmp ------ 0.0.0.0/0 0.0.0.0/0 11:12 -> *
DENY all ----l- 0.0.0.0/0 0.0.0.0/0 * -> *
Chain TCP_IN (1 references):
target prot opt source destination ports
ACCEPT tcp ------ 0.0.0.0/0 217.11.171.36 1023:65535 -> 80
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
DENY tcp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
DENY tcp -y--l- 0.0.0.0/0 0.0.0.0/0 * -> *
PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain UDP_IN (1 references):
target prot opt source destination ports
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6063
PRIVATE all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain PRIVATE (5 references):
target prot opt source destination ports
DENY all ----l- 10.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 127.0.0.0/8 0.0.0.0/0 n/a
DENY all ----l- 169.254.0.0/16 0.0.0.0/0 n/a
DENY all ----l- 172.16.0.0/12 0.0.0.0/0 n/a
DENY all ----l- 192.168.0.0/16 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
============================================================================
==

Comments much appreciated.

R
    .-. .-.
   / \ .-. .-. / \
  / \ / \ .-. _ .-. / \ / \
 / \ / \ / \ / \ / \ / \ / \
/ \ / \ / `-' `-' \ / \ /
\
           \ / `-' `-' \ /
            `-' `-'


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Fri May 18 2001 - 06:50:33 PDT