I see why I should set the "--state NEW" flag on port 80. Would I be sure that it wouldn't hamper the webserver though? And if I'd like to block an IP out of the system, how would that be done the easiest way? Put a rule in PAROLE?
//Tore Nilsson ----- Original Message ----- From: "DEFFONTAINES Vincent" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Wednesday, December 04, 2002 3:45 PM Subject: RE: IPTables configuration. > The call of PAROLE for TCP DST 80 paquets isnt restrictive enough. > I would call that rule only this way : > replace > 384 19428 PAROLE tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:80 > with a rule like : > /sbin/iptables -p tcp --dport 80 -m state --state NEW -j PAROLE > in the PUB_IN chain > > So that (nearly) only SYN packets go through that rule, not forget TCP > session packets. > > Your firewall allows all OUT, that is not a bad policy if you trust all > users and applications you run. > I would agree with that policy for a personnal firewall as this seems to be. > > I don't really like the general looking of the rest (some useless chains, > some useless calls). > > The FORWARD chain could be empty, since the ESTABLISHED, RELATED chain in it > will never match any packet. > Maybe you want to LOG some packets in that rule, that is another option. > > Chains INT_IN and INT_OUT are never used, delete them. > > Call to chain PUB_OUT is useless, and could be forgotten, as well as that > chain. > > > > This seems to be a very "tiny" (personnal) firewall. > > Probably most important in all I said : set the NEW state in incoming TCP 80 > packets. > The rest is just to make your rules cleaner, it doesn't modify the way the > firewall works.