Re: [expert] Bastille firewall setup

Mon, 11 Mar 2002 13:37:56 -0800 

Nick Thompson wrote:

> Hello,
>
> With LM8.1 I am trying to shore up my machine using Bastille - I don't 
> need anything complex. Setup went fine, but now I'm tring to 
> understand what it has done. iptables -L says:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> DROP       tcp  --  anywhere             127.0.0.0/8
> ACCEPT     all  --  anywhere             anywhere           state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
> DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
> PUB_IN     all  --  anywhere             anywhere
> PUB_IN     all  --  anywhere             anywhere
> PUB_IN     all  --  anywhere             anywhere
>
> ...snip the rest which seems fine. Rule 3 & 4 in the input chain 
> confuse me. Rule 3 looks like it will accept anything what so ever, so 
> none of the following rules will be used. Have I misunderstood? Rule 4 
> looks okay, I'm just not sure what its there for.
>
> Also since Bastille is run at boot, do connections brought up later 
> get protected or do I need to re-run something?
>
> Thanks for any help,
> Nick.
>
I was confused by this   as well. Try
#service bastille-firewall status
it lists additional criteria that are not shown by iptables -L. It looks 
fine then (I think). Perhaps there's some option for more verbose output.

Iptables -L or bastille-firewall status should show what applies to any 
packet that comes to your box (or is sent from your box). As connections 
are realized  using  packets, the rules apply to any new connection and 
(to limited extent) to any established connection. The limitation here 
is that if you try to filter inital packets of a connection, these may 
be already exchanged by the time you apply your rules.
ie.
-+----------------------+-----------------------+----------------------->
 |                      |                       |
 +-a connection starts  +-you apply your rules  +-another connection starts
  you arent filtering     you can drop packets    you may prevent this 
connection
  this connection yet     of any connections you   from establishing if 
its initial
                          dont like, terminating   packets are dropped 
by your rules
                          them
   



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to