Andrew Taylor wrote:
> > I was suddenly curious... I can see the need for a script like this, but
> > how (in)efficient is something like this? What is the overhead of checking
> > each packet against a potentially large number of rules before it is
> > accepted? Anyone made some measurements?
>
> Hmm, I've never really thought about it. I don't think that is too many
> rules to have. What do you think would be a sufficient amount? Can you see
> rules in my script which you think could be handled more efficenlt?
Personally, I wouldn't have had the rules which follow the comment
# Open up *valid* ports to remote connection, DNS, HTTP, FTP
First, there doesn't seem much point trying to restrict outbound
connections. Second, you can't realistically classify which ports are
"valid". E.g. "http://foo.com:123/" is a perfectly valid HTTP URL, but
your rules will prevent access to it.
Also, the approach implemented by the rules following the comment:
# Deny any remote source from using unauthorised ports
is usually the wrong way to go about things. It's preferable to allow
connections to specific ports (if necessary), then block the rest,
e.g.
# allow inbound replies to outbound connections
ipchains -A input -p TCP ! -y -j ACCEPT
# allow inbound SMTP and finger connections
ipchains -A input -p TCP -d 0/0 smtp -j ACCEPT
ipchains -A input -p TCP -d 0/0 finger -j ACCEPT
# reject (not deny) inbound auth connections
ipchains -A input -p TCP -d 0/0 auth -j REJECT
# deny (and log) everything else
ipchains -A input -p TCP -j DENY -l
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
