On Thu May 04 2000 at 06:54, "Ahsan Ali" wrote:
> I've noticed something weird... on my linux box (which is a router amongst
> other things), if I block a port on the INPUT chain, it ends up being
> blocked on the forward chain too.
>
> For example, for the majority of users this box is supposed to be a simple
> gateway. So if I make the default input policy DENY I find that it stops
> forwarding packets completely.
Yes, of course. You have to SPECIFICALLY allow what you want to
pass though the input chain before the packet gets to the end of
the chain.
> Yes, I am blocking the input chain specifically, not the forward chain.
Well, if a packet is DENY'ed or REJECT'ed in the input chain, end
of story - the packet disappears (with or without an ICMP reply as
appropriate). It won't exist any longer to go though the forward
chain at all.
> -Ahsan
>
> > Go ahead and block.
> >
> > Port 111 is the Sun Remore Procedure call an unless you are wanting to
> > offer such services to other Sun systems, then block it out.
> >
> > Use REJECT rather than DENY - it tells the Sun system to forget it.
> > You will get log entries if you use the -l option but they make
> interesting
> > reading.
> >
> > Unrelated but for security purposes, block 113 and 137.
> > Look at /etc/services. (grep 113 /etc/services)
> >
> > If you DON'T want people to telnet in, block 23 - but you probably
> > know that already.
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
