Hi Zoki,
> concerning the script actually being so watertight it blocks ALL traffic
> to and from the server. So badly that even after deleting all the rules
> the access to the server stays blocked and the only solution is to reboot
> it!!
Just flushing the rules is not enough to regain the original state. I think
you forgot to set the default policies back to accept, eg:
ipchains -P input ACCEPT
ipchains -P forward ACCEPT
ipchains -P output ACCEPT
> # loopback interface is valid.
> ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
I don't know if this makes a difference, but shouldn't one set the source
(and destionation) address to 127.0.0.1/32?
In the IPCHAINS-HOWTO v1.0.7, 12 March 1999 is says something about
protecting the loopback device with a 2.0 kernel. In this case -s 127.0.0.0/8
is used, but I don't know why this sourcemask is used. I have never heard of
the use of other addresses than 127.0.0.1 in the 127.0.0.0/8 network. Or does
it give broadcast on the loopback device? Maybe you could tell me?
> What I would like to have is your first impression when you see it.
Well, I only had a quick look, but it seems allright to me. You start DENYing
(or REJECTing as in the example) all traffic, and then you add rules to allow
traffic you actually need. Personally I only see need for output rules to set
packet priority (TOS), so I leave the output policy to ACCEPT. It seems
redundant to set accept/deny policies/rules on the output chain. Maybe someone
has ideas on this?
CU O,
Leonard.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
