Re: firewall after up2date kernel upgrade

[Pieter De Wit]

Hello Todd,   The way I am reading your rules, your default policy is accept ?   Here is the rules that I use to open ports on a firewall with default policy drop   ipchains -A input -s 0/0 unprivports* -d myip* 8080 -p tcp -j ACCEPT ipchains -A output -s myip* 8080 -d 0/0 unprivports -p tcp ! -y -j ACCEPT   myip* is the ip address of the interface, this is to drop any spoofed packets. Adding unprivports to the source means that the service is not hacked (I think), basicly, no service will connect with a source port < 1024 when a user is using it (e.g. telnet mail.server.com 25 - will have a source port 1024>)   The ! is needed, I can't remember why....my memory failed a parity check :)   Hope this helps !   Cheers,   Pieter ----- Original Message ----- From: Todd Wade To: [EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 07:43 Subject: firewall after up2date kernel upgrade I have a virtual server listening on port 8080. (The devel server) I upgraded to kernel via up2date and now I cant contact the server from outside the machine. A couple months ago when I added a secure server all I did was put:   -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT in /etc/sysconfig/ipchains and it worked. So I was hoping:   -A input -s 0/0 -d 0/0 8080 -p tcp -y -j ACCEPT   Would open 8080 back up, but no sucess. I know the point of the upgrade was to close some ports up, but what do I need to to to get the ones I want open open again?   The build is a vanilla RedHat 7.2 from ISO's. According to RHN my machine is completely up to date as far as errata and upgrades. Here is teh contents of my ipchains file:   :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 109 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 8080 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT Thanks for any input,   trwww