On Wed, 2 Apr 2003, Vineet Kumar wrote:
> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [20030402 09:21 PST]: > > Hugh Saunders wrote: > > >[OFF-LIST] > > > > > >On Wed, Apr 02, 2003 at 01:47:20PM -0100, ernst wrote: > > > > > >>test - please ignore > > > > > ><flame> > > >it is *never* necessary to post a test message. > > ></flame> > > > > > >why not just post something relevant (as that is why you joined the list > > >(hopeully)) then see if you get it back? > > > > > >Sometimes takes 30mins or so for message to come back from the > > >list servers. > > > > > >hugh > > > > Sorry about this, never do it again. > > > > So to my question, > > I have a debian box configured as firewall with IP tables. Basicly > > exepting all traffic out and only ssh in. But this rule say "Allow > > everyone access". Her is from the firewall script: > > <snip> > > /sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT > > /sbin/iptables -A INPUT -p udp --dport ssh -j ACCEPT > > </snip> > > Why do you allow inbound UDP port 22? I've never heard of any sshd > running over UDP. > Well...there you see, I need help:) That was taken from a google result, I thought about the same thing, but wasn't 100% sure so I just added UDP as well. > > > > Is there an easy way to change the rule so I can limit to e.g : > > one host? > > one net/subnet > > or users? > > Do you mean you only want to allow packets from a given source? How > about the --source option? > I have looked at it, that would partly solve what I have thought about how to config my firewall. But if I read the man right, this option has it's limitations. I also looked at "mac" option, and that will, I think, cover what I thougt of. Let say that I only want to grant access to me, from my laptop when I'm traveling, then I could use that option. Right? > As for 'users', what do you mean? You can match outgoing packets with > the user running the process that generated them with the --uid-owner > option. For non-locally-generated packets, it just doesn't make any > sense. > Mabye I wasn't clear, I want access to that firewall from outside with ssh, and only me. Then I need som walidaton, right? If I can do that with mac address, that's fine, but I can't limit the access to an IP range/singel addres. Then it woulden't be posible to access when traveling, logging on from defferent locations. > > Another problem is when I run "iptables -L" after stop and start, > > stop and start what? iptables is not a running daemon. > I got to files for the firewall, one firewall.rules and a script collecting the rules from that file and enableing ip forwarding. Then I can: start, stop, restart, list. > > I'll get the same result. Is there a way to "flush", or clean up the > > rules? > > man iptables | less +/flush > done that, the command didn't make any difference. > (the answer is '-F'). But really, these are precisely the type of > questions that the man page can answer for you in a few seconds. Give > it a try. > > good times, > Vineet > > -- > http://www.doorstop.net/ > -- > http://www.digitalconsumer.org/ > Thanks a lot for tips and pointers, I'll know what to look into now:) I guess one or more of these options will solve my problem. thanks /ernst -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]